Welcome to Finance Redefine, a newsletter designed to bring you the most important developments of the past week. A newsletter that delivers essential decentralized finance (DeFi) insights each week.
Last week, an unprecedented series of events unfolded in DeFi, with malicious actors exploiting a vulnerability in the Ledger hardware wallet connector library on December 14th. This attack put the entire decentralized application (DApp) ecosystem at risk. On-chain analysts and DApps like SushiSwap and MetaMask have advised users not to interact with their wallets at all.
Although Ledger released a patch within hours to contain the vulnerability, the attackers managed to extort more than $650,000 in assets from several victims. However, considering the number of wallets and DApps at risk, the amount being leaked is significantly lower than expected.
How Ledger Connect hackers tricked users into giving malicious approvals
The “Ledger hacker” who swindled at least $484,000 from several Web3 apps on December 14 did so by tricking Web3 users into approving malicious tokens, according to the team at blockchain security platform Cybers.
The hack occurred on the morning of December 14, according to public statements from several parties involved. The attackers used a phishing exploit to compromise the computer of a former Ledger employee and gain access to the employee’s Node Package Manager JavaScript account.
Continue reading
Ledger Patch Vulnerabilities After Multiple DApps Using Connector Library were Compromised
The front ends of several decentralized applications (DApps) that use Ledger’s connectors were compromised on December 14, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. Nearly three hours after the security breach was discovered, Ledger reported the presence of a malicious version of: The file is replaced The retail version will be available at approximately 1:35 PM UTC.
Ledger warns users to “always clear signature” transactions, adding that the address and information displayed on the Ledger screen are the only real information. “If you see any discrepancies between what you see on your Ledger device and what you see on your computer/mobile phone, stop the transaction immediately.”
Continue reading
Yearn.finance pleads for arbitrageurs to return funds after $1.4 million multi-signature crash.
Decentralized finance protocol Yearn.finance expects an arbitrage trader to return $1.4 million in funds after a multi-signature scripting error depleted the protocol’s funds.
“An incorrect multisig script led to the exchange of 3,794,894 lp-yCRVv2 tokens, Yearn’s entire treasury balance,” Yearn contributor “dudesahn” said in a Dec. 11 GitHub post.
Continue reading
OKX DEX suffered $2.7 million in abuse after proxy manager contract upgrade.
The OKX decentralized exchange (DEX) suffered a $2.7 million hack on December 13 after the private keys of proxy manager owners were reportedly leaked.
On December 13, blockchain security company SlowMist Zone posted on X (formerly Twitter) that “a problem has occurred” with OKX DEX. According to the report, the problem began around 10:23 PM UTC on December 12, 2023, after the proxy manager owner upgraded the DEX proxy contract to a new implementation contract and users began stealing tokens.
Continue reading
DeFi Market Overview
According to data from Cointelegraph Markets Pro and TradingView, the top 100 tokens in DeFi by market capitalization showed strength, with most weekly charts trading in the green. Total value locked in DeFi protocols remained above $60 billion.
Thank you for reading our roundup of the most influential DeFi developments this week. Join us next Friday for more stories, insights and education about this dynamic and evolving space.