Registry Vulnerability Puts the Entire DApp Ecosystem at Risk: Finance Redefined
Welcome to Finance Redefined, your weekly volume of decentralized finance (DeFi) insights – a newsletter designed to bring you the most relevant developments from the past week.
Last week, an unprecedented chain of events in DeFi took place on December 14th when a malicious actor exploited a vulnerability in the Ledger hardware wallet connector library. The exploit puts the decentralized application (DApp) ecosystem at risk. Analysts on-chain and DApps like SushiSwap and MetaMask have advised users not to make any connections with their wallets.
Ledger released a patch within hours to contain the vulnerability, but the exploit made off with more than $650,000 in assets from multiple victims. However, considering the number of wallets and DApps at risk, the amount leaked was much smaller.
How the Ledger Connect hacker tricks users into making malicious authorizations
The “Ledger Hacker,” who collected at least $484,000 from multiple Web3 applications on Dec. 14, did so by tricking Web3 users into validating a malicious token, according to the team behind blockchain security platform Syvers.
According to public statements made by several parties, the hacking took place on December 14th. The attacker used a phishing exploit to compromise a former Ledger employee's computer and gain access to the employee's Node Package Manager JavaScript account.
Continue reading
Fixes a registry vulnerability after several DApps that use the Connector library were compromised
The front end of several decentralized applications (DApps) using Ledger Connector, Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were hacked on December 14th. About three hours after the security breach was discovered, the Ledger reported a malicious version. The file was replaced with the original version around 1:35 PM UTC.
Ledger is warning users to “always clear the mark”, the addresses and the information presented on the mail screen are the only real information. “If there is a discrepancy between the screen displayed on your Ledger device and your computer/phone screen, stop the transaction immediately.”
Continue reading
Yearn.finance pleads with Friday traders to get their money back after a $1.4 million multi-sig crash.
Decentralized financial protocol Yearn.finance is hoping arbitrators will return $1.4 million in funds after a multi-signature scripting bug drained a large amount of the protocol's treasury.
“A flawed multisig script caused Yearn's public treasury to exchange 3,794,894 lp-yCRVv2 tokens,” according to a Dec. 11 GitHub post by Yearn contributor “dudesah”.
Continue reading
OKX DEX Faces $2.7 Million Exploitation After Proxy Manager Contract Update
OKX Decentralized Exchange (DEX) suffered a $2.7 million hack on December 13 after it was revealed that the private key of its proxy administrator had been leaked.
On December 13, the blockchain security firm SlowMist Zone posted on X (formerly Twitter) that the OKX DEX had “experienced a problem”. According to the report, the issue started on December 12, 2023 at 10:23 pm UTC after the owner of the proxy manager updated the DEX proxy contract to a new execution contract and the user started stealing tokens.
Continue reading
Overview of the DeFi market
According to data from Cointelegraph Markets Pro and TradingView, DeFi's top 100 tokens had the biggest week by market capitalization, mostly in the green trading on the weekly charts. The total value locked up in DeFi protocols remains over $60 billion.
Thanks for reading this week's roundup of the most impactful DeFi developments. Join us next Friday for more stories, insights and lessons about this dynamic and evolving space.
