Update (Dec. 14 at 2:45 pm UTC): This article has been updated to clarify that Ledger has reportedly fixed the issue.
The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised on Dec. 14. Nearly three hours after the security breach was discovered, Ledger reported that the malicious version of the file had been replaced with its genuine version around 1:35 pm UTC.
Ledger is warning users "to always Clear Sign" transactions, adding that the addresses and the information presented on the Ledger screen are the only genuine information. “If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”
SushiSwap chief technical officer Matthew Lilley was among the first to report the issue, noting that a commonly used Web3 connector was compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.
RED ALERT :
— I'm Software (@MatthewLilley) December 14, 2023
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
Lilley blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The exec claimed that Ledger’s content delivery network was compromised, with JavaScript being loaded from the compromised network.
seems like the Ledger's @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023
Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so draining assets from a user’s account might not happen on its own. However, prompts from a browser wallet like MetaMask will display and could give malicious actors access to the assets.
Lilley warned users to avoid any DApps using the Ledger connector, adding that the “connect-kit” is also vulnerable, and that this isn’t a single isolated attack but a large-scale attack on multiple DApps.
The vulnerability with Ledger Connect Kit should be resolved now
— Phantom (@phantom) December 14, 2023
This appears to have been an EVM-only exploit, but we can confirm Phantom users on dapps with compromised front-ends would have seen the proper warnings in our transaction preview.
Polygon Labs vice president Hudson Jameson said even after Ledger corrects the bad code in its library, projects using and deploying the library will need to update before it is safe to use DApps using Ledger’s Web3 libraries.
looks like $610K+ drained
— ZachXBT (@zachxbt) December 14, 2023
drainer customer
0x658729879fca881d9526480b82ae00efc54b5c2d
drainer fee address
0x412f10AAd96fD78da6736387e2C84931Ac20313f pic.twitter.com/Rld2BsKNDo
Ido Ben-Natan, co-founder and CEO of Blockaid, told Cointelegraph:
“Ledger users are not at risk if not transacting. It is not exploitable on prior approvals. Revoke.cash specifically is affected, so don’t interact with it. the number of impacted funds is hundreds of thousands of dollars over the past two hours. Many websites are still affected, and users are getting hit.”
Related: KyberSwap hacker demands complete control over Kyber company
Ledger acknowledged the vulnerability in its code and said it has “removed a malicious version of the Ledger Connect Kit,” adding that “a genuine version is being pushed to replace the malicious file now.“
We have identified and removed a malicious version of the Ledger Connect Kit.
— Ledger (@Ledger) December 14, 2023
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
Magazine: HTX hacked again for $30M, 100K Koreans test CBDC, Binance 2.0: Asia Express