March 27, 2024
DApp Disaster: Ledger Connector Compromised, Millions in Crypto at Risk
Latest Cryptocurrency News

DApp Disaster: Ledger Connector Compromised, Millions in Crypto at Risk

In a recent security incident, the front end of various decentralized applications (DApps), including popular ones like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, fell victim to compromise on December 14th. Ledger, the renowned hardware wallet provider, reported the breach and confirmed that the malicious file was replaced with its genuine version approximately three hours after the discovery, around 1:35 pm UTC.

Ledger is cautioning users to exercise caution, emphasizing the importance of always clearing sign transactions. The company advises users to rely on the information displayed on their Ledger device screens, as discrepancies between the device and computer/phone screens may indicate a potential threat. Ledger stresses the need for users to halt transactions immediately if such differences are detected.

Matthew Lilley, CTO of SushiSwap, was among the first to report the compromise. He revealed that a commonly used Web3 connector had been exploited, allowing malicious code injection into numerous DApps. Lilley placed blame on Ledger for the ongoing vulnerability, asserting that Ledger’s content delivery network had been compromised, with JavaScript loaded from the compromised network.

The Ledger connector, a library maintained by Ledger and utilized by numerous DApps, was compromised, and a wallet drainer was added. While assets may not be drained automatically, prompts from browser wallets such as MetaMask could potentially grant malicious actors access to user assets.

Lilley urged users to avoid DApps using the Ledger connector and noted that the “connect kit” is also vulnerable. He emphasized that this is not an isolated incident but rather a large-scale attack on multiple DApps.

Hudson Jameson, VP of Polygon Labs, highlighted the need for projects to update even after Ledger corrects the code in its library. He noted that users are not at risk if not transacting, but the impact on affected funds has already reached hundreds of thousands of dollars.

Ledger acknowledged the vulnerability in its code and announced the removal of the malicious version of the Ledger Connect Kit. The company assured users that a genuine version is being pushed to replace the compromised file.

This incident underscores the ongoing challenges of ensuring security in the decentralized finance (DeFi) space and the importance of swift action to address vulnerabilities and protect user funds.

Image: Wikimedia Commons

Related posts

Tether Launches Tool for USDT Migration Across Blockchains

Anna Garcia

Nigerian Presidential Adviser Calls for Binance Ban

Bran Lopez

Montenegro Court Rejects Do Kwon’s Extradition Appeal

Christian Green

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More