Update (December 14, 2:45 p.m. UTC): This article has been updated to clarify that Ledger has reportedly resolved the issue.
The front ends of several decentralized applications (DApps) that use Ledger’s connectors were compromised on December 14, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. Nearly three hours after the security breach was discovered, Ledger reported the presence of a malicious version of: The file is replaced The retail version will be available at approximately 1:35 PM UTC.
Ledger warns users to “always clear signature” transactions, adding that the address and information displayed on the Ledger screen are the only real information. “If there is a difference between the screen displayed on your Ledger device and your computer/mobile phone screen, stop the transaction. immediately.”
Matthew Lilley, Chief Technology Officer at SushiSwap, was the first to report the issue, noting that a commonly used Web3 connector had been compromised, allowing malicious code to be injected into numerous DApps. On-chain analysts said they identified a compromise in the Ledger library where vulnerable code inserted drainer account addresses.
Red warning:
Please do not interact with any dApps until further notice. It appears that a commonly used web3 connector may have been compromised, allowing malicious code to be injected affecting a large number of dApps.
— I am Software (@MatthewLilley) December 14, 2023
Lilley blamed Ledger for ongoing vulnerabilities and compromises to several DApps. The executive claimed that Ledger’s content delivery network was compromised and that JavaScript was loaded from the compromised network.
Ledger’s @ledgerhq/connect-kit npm package appears to have been hacked. Latest posting was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q
— Scam Sniffer | Web3 Scam Prevention (@realScamSniffer) December 14, 2023
Ledger Connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added so assets in a user’s account may not be drained on their own. However, you may see messages from browser wallets like MetaMask and allow malicious actors to access your assets.
Lilley warned users to avoid DApps that use the Ledger connector, adding that “connect-kit” is also vulnerable and that this is not a single isolated attack, but rather a large-scale attack against multiple DApps.
The vulnerability in the Ledger Connect Kit should now be resolved.
This appears to be an EVM-only exploit, but we can confirm that Phantom users of dapps with compromised frontends will have seen appropriate warnings in their transaction previews.
— Phantom (@phantom) December 14, 2023
Hudson Jameson, Vice President, Polygon Labs said To safely use DApps using Ledger’s Web3 library, even after Ledger fixes the incorrect code in the library, you must update the projects that use and deploy the library.
I think over $610,000 was spent
drain customer
0x658729879fca881d9526480b82ae00efc54b5c2d
Drain Fee Address
0x412f10AAd96fD78da6736387e2C84931Ac20313f pic.twitter.com/Rld2BsKNDo— ZachXBT (@zachxbt) December 14, 2023
Blockaid co-founder and CEO Ido Ben-Natan told Cointelegraph:
“Ledger users are not at risk if they do not transact. Not available with prior approval. Revoke.cash is particularly affected, so do not interact with it. The number of funds affected in the last two hours is in the hundreds of thousands of dollars. “Many websites are still affected and our users are also affected.”
Related: KyberSwap hackers demand complete control of Kyber company
Ledger acknowledged vulnerabilities in its code and said it had “removed the malicious version of the Ledger Connect Kit,” adding that “a genuine version is now being pushed to replace the malicious file.”
We identified and removed a malicious version of the Ledger Connect Kit.
A genuine version is currently being promoted to replace the malicious file. Do not interact with any dApps at this time. We will keep you posted as the situation develops.
With your Ledger device…
— Ledger (@Ledger) December 14, 2023
magazine: HTX Hacked Again for $30 Million, 100,000 Koreans Test CBDC, Binance 2.0: Asia Express