Multiple decentralized applications, such as Revoke. cash and SushiSwap, which used Ledger’s connector library have been compromised. Ledger says they’ve resolved the problem.
On December 14, there was a hack on the front end of several DApps (decentralized applications) that used Ledger’s connector, such as Revoke. cash, Phantom, SushiSwap, Balancer, and Zapper. Ledger stated that at 1:35 PM UTC, the malicious version of the file had been replaced with its legitimate version, almost three hours after the security breach was detected.
Ledger advises users “to always Clear Sign” transactions and stresses that the addresses and data shown on the Ledger screen are the only accurate sources of information. “Stop that transaction right away if the screen on your Ledger device and the screen on your computer or phone differ.”
SushiSwap chief technical officer Matthew Lilley was among the first to report the problem, pointing out that a widely used Web3 connector had been compromised, allowing malicious code to be injected into a variety of DApps. According to the on-chain analyst, the compromise was confirmed by the Ledger library, where the vulnerable code inserted the drainer account address.
Ledger connector is a library maintained by a Ledger that is used by many DApps. Because a wallet drainer has been added, assets from a user’s account may not drain on their own. However, prompts from a browser wallet such as MetaMask will appear, potentially giving malicious actors access to the assets.
Lilley advised users to avoid any DApps that use the Ledger connector, noting that the “connect-kit” is also vulnerable and that this is not a single isolated attack but a large-scale attack on multiple DApps.
Polygon Labs vice president Hudson Jameson stated that even after Ledger fixes the bad code in its library, projects using and deploying the library will need to update before DApps using Ledger’s Web3 libraries can be used safely.
Blockaid co-founder and CEO Ido Ben-Natan told Cointelegraph:
“Ledger users are not at risk if they do not transact.” It cannot be used without prior approval. Revoke. Because cash is particularly vulnerable, avoid dealing with it. Over the last two hours, hundreds of thousands of dollars in funds have been impacted. Many websites are still down, and users are being impacted.”
Ledger acknowledged the flaw in its code and stated that it had “removed a malicious version of the Ledger Connect Kit,” adding that “a genuine version is being pushed to replace the malicious file now.”