Ledger resolves security flaw affecting dApps, $500k in user losses
The wallet manufacturer traces the exploit's origins to a phishing attack targeting a former employee.
Share this article
Ledger’s Connect Kit library was compromised earlier today, affecting the front end of several decentralized applications (dApps) including SushiSwap, Kyber, Revoke.cash, Phantom, and Zapper. Notably, the affected wallets are all based on the Ethereum Virtual Machine (EVM).
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
The exploit involved a front-end attack that prompted users to connect their wallets through a pop-up, leading to a token-draining risk. The compromised library was injected with malicious code, allowing hackers to divert funds. Ledger has confirmed the vulnerability and removed the library’s malicious version, replacing it with a genuine version.
Ledger attributed the exploit’s origins to a phishing attack that targeted a former employee, with the bad actor gaining access to internal information. Analysis from SushiSwap CTO Matthew Lilley explains that Ledger was loading JavaScript configurations from a CDN (Content Delivery Network) without version-locking the scripts. Ledger’s CDN was then compromised, resulting in multiple dApps getting exposed.
At the time of writing, Ledger has confirmed that it has successfully propagated the genuine version of Ledger Connect Kit.
UPDATE: The genuine Ledger Connect Kit 1.1.8 is now fully propagated. Ledger and WalletConnect can confirm that the malicious code was deactivated. You are now safe to use your Ledger Connect Kit. Reminder that that we always encourage clear signing.
— Ledger (@Ledger) December 14, 2023
A post-mortem report from Ledger states that they have worked with WalletConnect, Chainalysis, and Tether to freeze the threat actor’s wallet. The hardware wallet firm also said they had rotated secret keys for publishing to their GitHub repo. Developers building and interacting with the Ledger Connect Kit code were also advised that the NPM repo is now read-only, disabling direct NPM package push requests to secure the project.
Ledger also stated that its hardware devices and the Ledger Live app were not compromised.
Blockaid, a Web3 security firm integrated with crypto wallets such as MetaMask, OpenSea, and Rainbow, has estimated that roughly $504k in value was wiped across dApps due to the exploit. According to an unverified estimate, the exploit impacts roughly 180 wallets across Ethereum, Avalanche, Arbitrum, Base, Optimism, Polygon, and BSC.
After the resolutions were implemented, Ledger Chairman and CEO Paul Gauthier issued a letter acknowledging the adverse impact of the exploit.
“This was an unfortunate isolated incident. It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes. In this area, Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.” Gauthier said.
Ledger has yet to issue an official number on the exploit’s impact based on their internal investigation and correspondence with affected users.
Share this article