How the Ledger Connect hacker tricks users into making malicious authorizations
The ‘Ledger Hacker' who took at least $484,000 from multiple Web3 applications on December 14 did so by tricking Web3 users into validating a malicious token, according to the team behind blockchain security platform Cyvers.
According to public statements given by several parties, the abduction took place on December 14.
We have identified and removed a malicious version of Ledger Connect Kit.
Now a genuine version is being pushed to replace the malicious file. Do not connect to any dApps for now. We will keep you updated as the situation improves.
Your recording device and…
— Ledger (@Ledger) December 14, 2023
Once they gained access, they uploaded the malicious update to Ledger Connect's GitHub repo. Ledger Connect is a widely used package for Web3 applications.
Some Web3 applications were upgraded to the new version, causing their applications to spread malicious code to users' browsers. Web3 apps Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were infected with the code.
As a result, the attacker was able to extract at least $484,000 from the users of these apps. Other applications could also be affected, and experts warned that the vulnerability could affect the entire Ethereum Virtual Machine (EVM) ecosystem.
How did it happen?
Speaking to Cointelegraph, Syverse CEO Dedi Lavid, Chief Technology Officer Meyer Dolev, and blockchain analyst Hakal Unal further explained how the attack occurred.
According to them, the attacker used malicious code to display confusing transaction information in the user's wallet, leading the user to approve unintended transactions.
When developers create Web3 apps, they use open source “connect kits” to make their apps connect to users' wallets, Dolev said. These kits are pieces of code that can be loaded into multiple applications, allowing them to control the communication process without spending time writing code. One option to tackle this task is a ledger connector kit.
Today's security issue appears to be the culmination of 3 separate failures at Ledger.
1. Blindly installing code without a specific version and check in 2. Not following the “2 person rules” around code review and deployment 3. Not revoking former employee access.
— Jameson Lopp (@lopp) December 14, 2023
When a developer writes their app for the first time, they usually install the Connection Kit through Node.js Package Manager (NPM). After they create a build and upload it to their website, their app contains the link kit as part of the code, which is then downloaded to the user's browser every time the user visits the site.
According to the Syvers team, the malicious code injected into the Ledger Connect Kit allowed the attacker to change the transaction being pushed to the user's wallet. For example, as part of the process of using an app, a user often needs to agree to token terms, which allows the app to withdraw tokens from the user's wallet.
Malicious code may have caused the user's wallet to display a token verification request, but with the attacker's address listed instead of the application's address. Or, it may have caused a wallet confirmation to appear with a hard-to-interpret code, causing the user to press “Verify” without understanding what they were agreeing to.
Blockchain data shows that the victims of the attack approved a very large token for the malicious contract. For example, the attacker withdrew more than $10,000 in one transaction from Ethereum address 0xAE49C1ad3cf1654C1B22a6Ee38dD5Bc4ae08fEF7. The log of this transaction shows that the user authorized a large amount of USDC to be used in a malicious contract.
This authentication may have been performed by the user in error due to malicious code, the Syvers team said. He warned that avoiding such an attack is extremely difficult as wallets do not always provide users with the clear information they agreed to. One security practice that can help is to carefully review each transaction confirmation message that pops up while using the app. However, this may not help if the transaction is displayed with unreadable or confusing code.
Related: ConsenSys exec on MetaMask Snaps security: ‘Consent is king'
Syvers said their platform allows businesses to check contract addresses and determine whether these addresses are involved in security issues. For example, the account that created the smart contracts used in this attack was found to be involved in 180 security issues at Cyberspace.
The group told Cointelegraph that while future Web3 tools will allow these types of attacks to be detected and thwarted, the industry still has “a long way to go” to solve this problem.