Vulnerability in Ledger Library Affects Numerous DApps
A vulnerability has been discovered in a library developed by Ledger, potentially affecting numerous decentralized applications (DApps) that integrate with it.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
— Ledger (@Ledger) December 14, 2023
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
Vulnerability in Ledger Library Could Impact Numerous DApps
The DeFi community on X (formerly Twitter) is abuzz with reports of a security flaw in the Connect-Kit toolset developed by Ledger. This toolset has been compromised with malware capable of automatically draining user assets upon any interaction.
1/2
— Igor Igamberdiev (@FrankResearcher) December 14, 2023
Ok, the first connect-kit version with the drainer (1.1.6) was added to the npm registry at 9:44am UTC
Better to check that you have not interacted with any UIs starting this time https://t.co/GRcHiyo3fm
Impact on Popular DApps
Several popular DApps, including Hey, SushiSwap, and Zapper, which utilize this toolset, may have their front-ends compromised, potentially affecting users. Even the token revocation site, Revoke, is among the impacted websites.
A really serious issue is currently unfolding across most hosted crypto frontends.
— Lefteris Karapetsas | Hiring for @rotkiapp (@LefterisJP) December 14, 2023
There is a supply attack on a popular connector, the @Ledger connect-kit.
It has been infected with a drainer, which you can confirm by deobfuscating the code.
Be extra vigilant! pic.twitter.com/rwQBmUHMct
Confirmation from SushiSwap
The CTO of SushiSwap has confirmed that their front-end was affected by this attack. He identified the root cause as a compromised web3 connector, which allowed the attacker to inject malicious code affecting multiple DApps. The malicious code appears to have originated from the GitHub repository of Ledger's hardware wallet.
⚠️⚠️⚠️⚠️⚠️⚠️
— Revoke.cash (@RevokeCash) December 14, 2023
Warning: Multiple popular crypto applications that integrate with Ledger's ConnectKit library, including https://t.co/MkINKOiX5N have been compromised. We temporarily took the website offline as we're investigating further. We recommend not using *any* crypto website…
He further stated:
"Any DApps using LedgerHQ/connect-kit are vulnerable to this attack...This isn't a single attack but a large-scale attack on multiple DApps. The Ledger DApps connection kit allows developers to connect their DApps with Ledger hardware wallets using the Ledger Extension or Ledger Live."
He also urged users to "avoid interacting with any DApps until further notice."
🚨🚨🚨 RED ALERT 🚨🚨🚨:
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
Recent Development and Safety Measures
The vulnerability seems to have emerged recently (around 4:44 PM on 12/14). Users who have not interacted with DApps in the past 4-5 hours are likely safe.
ANY dApp which makes use of LedgerHQ/connect-kit is vulnerable. Don't use ANY dApps until further notice. This isn't a single isolated attack, it's a large-scale attack on multiple dApps. https://t.co/a3brXNQSx9
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
Technical KOLs recommend that users refrain from any transactions in the near future to minimize the risk of asset theft. They specifically advise against connecting to any DApps using Ledger cold wallets.
When interacting with Curve website, don't choose Ledger currently! Ledger support in many dApps downloads malicious code at the moment https://t.co/lS56puIgen pic.twitter.com/MRQd88jdfj
— Curve Finance (@CurveFinance) December 14, 2023
Update from Ledger
Ledger's X account acknowledged the vulnerability and stated that a patch is being deployed. However, users are still advised not to interact with any DApps at this time. Ledger hardware wallets remain secure and are not affected by this library vulnerability.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
— Ledger (@Ledger) December 14, 2023
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
ZachXBT shared the attacker's wallet address, estimating that $610,000 had been stolen via this exploit. Tether has since frozen the funds associated with the hacker.
looks like $610K+ drained
— ZachXBT (@zachxbt) December 14, 2023
drainer customer
0x658729879fca881d9526480b82ae00efc54b5c2d
drainer fee address
0x412f10AAd96fD78da6736387e2C84931Ac20313f pic.twitter.com/Rld2BsKNDo
Tether just froze the Ledger exploiter address
— Paolo Ardoino 🤖🍐 (@paoloardoino) December 14, 2023
The latest patch version is 1.1.8. Users should ensure they have updated to this version before engaging in any new interactions with Ledger.
The ledger issue is now fixed.
— Mudit Gupta (@Mudit__Gupta) December 14, 2023
To make sure you don't have the malicious library cached, go to https://t.co/MSVgii7Ufk and ensure the version is 1.1.8.
If it's not, clear your cache. chrome- F12> Chrome Developer Tools > Application tab > Storage in left tree> Clear site data. pic.twitter.com/BtNUiO4vXF
Stay tuned for further updates on this developing situation.
