Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » News » Ledger resolves security flaw affecting dApps, $500k in user losses

Ledger resolves security flaw affecting dApps, $500k in user losses

by

The wallet manufacturer traces the exploit's origins to a phishing attack targeting a former employee.

Ledger resolves security flaw affecting dApps, $500k in user losses

Share this article

Ledger’s Connect Kit library was compromised earlier today, affecting the front end of several decentralized applications (dApps) including SushiSwap, Kyber, Revoke.cash, Phantom, and Zapper. Notably, the affected wallets are all based on the Ethereum Virtual Machine (EVM).

The exploit involved a front-end attack that prompted users to connect their wallets through a pop-up, leading to a token-draining risk. The compromised library was injected with malicious code, allowing hackers to divert funds. Ledger has confirmed the vulnerability and removed the library’s malicious version, replacing it with a genuine version.

Ledger attributed the exploit’s origins to a phishing attack that targeted a former employee, with the bad actor gaining access to internal information. Analysis from SushiSwap CTO Matthew Lilley explains that Ledger was loading JavaScript configurations from a CDN (Content Delivery Network) without version-locking the scripts. Ledger’s CDN was then compromised, resulting in multiple dApps getting exposed.

At the time of writing, Ledger has confirmed that it has successfully propagated the genuine version of Ledger Connect Kit.

A post-mortem report from Ledger states that they have worked with WalletConnect, Chainalysis, and Tether to freeze the threat actor’s wallet. The hardware wallet firm also said they had rotated secret keys for publishing to their GitHub repo. Developers building and interacting with the Ledger Connect Kit code were also advised that the NPM repo is now read-only, disabling direct NPM package push requests to secure the project.

Ledger also stated that its hardware devices and the Ledger Live app were not compromised.

Blockaid, a Web3 security firm integrated with crypto wallets such as MetaMask, OpenSea, and Rainbow, has estimated that roughly $504k in value was wiped across dApps due to the exploit. According to an unverified estimate, the exploit impacts roughly 180 wallets across Ethereum, Avalanche, Arbitrum, Base, Optimism, Polygon, and BSC.

After the resolutions were implemented, Ledger Chairman and CEO Paul Gauthier issued a letter acknowledging the adverse impact of the exploit.

“This was an unfortunate isolated incident. It is a reminder that security is not static, and  Ledger must continuously improve our security systems and processes. In this area, Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.” Gauthier said.

Ledger has yet to issue an official number on the exploit’s impact based on their internal investigation and correspondence with affected users.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.