Cryptocurrency hardware wallet provider Ledger is changing its transaction signing process after exploiting the Ledger Connect Kit software library on December 14.
“We are aware that approximately $600,000 in assets was stolen and affected from blind signing users of the EVM DApp,” Ledger wrote on Wednesday. X post. “We have committed to working with the DApp ecosystem to allow clear signatures and no longer allow blind signatures using Ledger devices by June 2024.”
The company said both ledger and non-ledger customers who lost funds due to the exploit will be “all-out” by the end of February 2024. It added that people who signed transactions on the affected DApps should cancel unauthorized transactions to prevent malware from occurring. It affects them more.
“Our commitment is to work with the community and the DApp ecosystem to allow for clear signatures so that users can verify every transaction on their Ledger device before signing. This is a new way to protect users and encourage clear signatures across DApps. It will lead to standards,” Ledger wrote.
Blind signing refers to the process of providing users with raw data that can be interpreted by computers but cannot be read by humans to authorize on-chain transactions using private keys. Clear signatures summarize transactions that users can review and understand before executing them, Ledger explained in a June 2022 article.
Ledger ConnectKit security issue
Last week, a serious vulnerability affecting several decentralized applications affected software libraries that Ledger relies on, The Block previously reported. Potentially, a compromise of the software library’s specific content delivery network resulted in malicious code being injected into the app’s front end, allowing exploiters to steal assets.
Ledger identified and removed the malware, but third-party organizations estimated that approximately $500,000 worth of funds were damaged at the time.
(Updated with explanation of blind and clear signatures.)
Disclaimer: The Block is an independent media outlet delivering news, research and data. As of November 2023, Foresight Ventures is a majority investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, impactful and timely information about the cryptocurrency industry. Below are our current financial disclosures.
© 2023 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.