Fixes a registry vulnerability after several DApps that use the Connector library were compromised

Fixes a registry vulnerability after several DApps that use the Connector library were compromised



Update (December 14, 2:45 PM UTC): This article has been updated to report that Ledger has fixed the issue.

The front end of several decentralized applications (DApps) using Ledger Connector, Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were hacked on December 14th. About three hours after the security breach was discovered, the Ledger reported a malicious version. The file was replaced with the original version around 1:35 PM UTC.

Ledger is warning users to “always clear the mark”, the addresses and the information presented on the mail screen are the only real information. “If there is a discrepancy between the screen displayed on your Ledger device and your computer/phone screen, stop the transaction immediately.”

SushiSwap's Chief Technical Officer Matthew Lilley was among the first to report the issue, and a commonly used Web3 connector was compromised, allowing malicious code to be injected into multiple DApps. An on-chain analyst verified the agreement where the Ledger library entered the address of the vulnerable code sewer.

okex

Lilly blames Ledger for continued vulnerability and deals with multiple DApps. Executing Ledger's content delivery network was compromised, JavaScript was installed from the compromised network.

Ledger connector is a library used by many DApps and maintained by Ledger. Added wallet drain, so withdrawing assets from a user account may not be automatic. However, requests from browser wallets such as MetaMask are visible and may give malicious actors access to the assets.

Lilly warned users to avoid any DApps using the Ledger connector, as “connect-kit” is also vulnerable, and said this was not a single attack, but a large-scale attack on multiple DApps.

Hudson Jameson, vice president of Polygon Labs, said that even after Ledger fixes the bad code in the library, projects that use and deploy the library will need to update before it's safe to use DApps using Ledger's Web3 libraries.

Ido Ben Nathan, founder and CEO of Blockade, told Cointelegraph:

“Registration users are not at risk if they do not transact. Cannot be used on prior approvals. Revoke.cash is especially vulnerable, so don't interact with it. Funds affected are hundreds of thousands of dollars in the last two hours. Many websites are still affected, and users are getting hit.

Related: KyberSwap Hacker Claims Full Control over Kyber Company

Ledger acknowledged the vulnerability in its code and “removed the malicious version of the Ledger link kit,” adding that “a genuine version is now being pushed to replace the malicious file.”

Magazine: HTX Hacked Again for $30M, 100K Koreans Test CBDC, Binance 2.0: Asia Express



Leave a Reply

Pin It on Pinterest