- Ledger quickly resolves a vulnerability that affected multiple DApps, including SushiSwap and Revoke.cash, strengthening security on its platform.
- The security breach in Ledger’s connector library underscores the importance of constant vigilance in the crypto ecosystem.
On the morning of December 14, a former Ledger employee suffered a phishing attack that allowed a hacker to access his NPMJS account. The hacker posted a malicious version of the Ledger Connect Kit, affecting versions 1.1.5, 1.1.6 and 1.1.7.
The malicious code used a fraudulent WalletConnect project to redirect funds to the attacker’s wallet. Ledger, realizing the problem, reacted quickly and managed to deploy a patch in just 40 minutes. However, the malicious file was active for approximately 5 hours, with a misappropriation of funds period of at least two hours.
This library vulnerability affected several decentralized applications (DApps), including SushiSwap and Revoke.cash.
The Scope of the Vulnerability
The security flaw affected the front end of multiple DApps using the Ledger connector, such as Zapper, Phantom, Balancer and Revoke.cash. The issue was detected and reported on December 14.
⚠️⚠️⚠️⚠️⚠️⚠️
Warning: Multiple popular crypto applications that integrate with Ledger’s ConnectKit library, including https://t.co/MkINKOiX5N have been compromised. We temporarily took the website offline as we’re investigating further. We recommend not using *any* crypto website…— Revoke.cash (@RevokeCash) December 14, 2023
Ledger acted quickly and, approximately three hours after the discovery of the breach, replaced the malicious version of the file with its authentic version at around 1:35 pm UTC.
Incident Reporting and Analysis
Matthew Lilley, CTO of SushiSwap, was one of the first to report the problem. He noticed that a commonly used Web3 connector had been compromised, allowing malicious code to be injected into numerous DApps. According to analysis, the Ledger library confirmed the compromise, where the vulnerable code inserted the address of a drain account.
What happened?
In short, @Ledger made a chain of terrible blunders.
1. They are loading JS from a CDN.
2. They are not version locking loaded JS.
3. They had their CDN compromised.I would avoid using ANY dApps until their teams confirm that they have mitigated the attack. https://t.co/a3brXNQSx9
— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023
Cautions for Ledger Users
The Ledger connector is a library used by many DApps and maintained by Ledger. While the addition of a wallet drainer does not necessarily result in automatic loss of assets, it could allow malicious actors to access these assets through browser wallet requests such as MetaMask.
ANY dApp which makes use of LedgerHQ/connect-kit is vulnerable. Don’t use ANY dApps until further notice. This isn’t a single isolated attack, it’s a large-scale attack on multiple dApps. https://t.co/a3brXNQSx9
— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023
Lilley warned users to avoid DApps that use the Ledger connector and noted that the connect-kit is also vulnerable. He stressed that this is not an isolated attack, but a large-scale attack affecting multiple DApps.
Expert Statements and Proposed Solutions
Hudson Jameson, vice president of Polygon Labs, mentioned that even after Ledger fixes the flawed code in its library, projects that use and implement it will need to update it before it is safe to use DApps that employ Ledger’s Web3 libraries.
Ledger Library Exploit Explainer for Average Folks
What is going on with the recent alerts not to use dapps?
A library that is used by many dapps that is maintained by Ledger was compromised and a wallet drainer was added.
What do I do as a normal user?
Do not interact with… https://t.co/exre0QfykD
— Hudson Jameson (@hudsonjameson) December 14, 2023
Ido Ben-Natan, co-founder and CEO of Blockaid, advised Ledger users that they are not at risk if they do not transact and that it is not exploitable in pre-approvals. He specifically noted that Revoke.cash is affected and recommended not interacting with it. He mentioned that the number of impacted funds amounts to hundreds of thousands of dollars in the last two hours and that many websites are still affected.
Collaboration to Resolve the Crisis
Ledger worked closely with WalletConnect, who quickly disabled the fraudulent project. The authentic and secure version of the Ledger Connect kit, version 1.1.8, is now available for use.
Additional Security Measures
As an additional security measure, the Connect kit development team in the NPM project is now read-only, meaning that they cannot directly send the NPM package. Ledger has also changed the publishing secrets on GitHub. Developers are urged to check out and use the latest version, 1.1.8.
Acknowledgements and Focus on Security
Ledger thanks WalletConnect, Tether, Chainalysis, Zachxbt and the entire community for their prompt help and support in identifying and resolving the attack. The company reaffirms its commitment to security and stresses that it will prevail with the help of the entire ecosystem.
Importance of Security in the Crypto Ecosystem
This incident serves as a critical reminder about the importance of security in the cryptocurrency ecosystem. Ledger’s quick response and the collaboration of the crypto community demonstrate resilience and adaptability in the face of security threats.
However, it also underscores the continued need for vigilance and caution on the part of users when interacting with DApps and transacting in cryptocurrencies. With the growing interest and adoption of cryptocurrencies, ensuring the security and trust of users remains a key pillar for the sustainable development of the crypto ecosystem.
Crypto News Flash does not endorse and is not responsible for or liable for any content, accuracy, quality, advertising, products, or other materials on this page. Readers should do their own research before taking any actions related to cryptocurrencies. Crypto News Flash is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods, or services mentioned.
Credit: Source link
