The hardware wallet maker says the vulnerability has been fixed, but users of several dApps and protocols are still being warned against using them until the situation is clearer.
A malicious version of Ledger’s Connector Kit allowed the front-end of several dApps to be exploited.
(Shutterstock)
Posted December 14, 2023 at 10:59 am EST.
Multiple crypto users saw their wallets drained Thursday morning due to a compromise of hardware wallet provider Ledger’s Connector Kit that allowed the front-end of several decentralized applications (dApps) to be exploited.
The vulnerability created widespread pandemonium in the crypto community because of how pervasive the exploit could potentially be since users didn’t need to be using a Ledger wallet to be affected, and the fact that it was affecting dApps on multiple chains.
Ledger has since removed the malicious version of the Ledger Connect Kit and replaced it with “the genuine version” several hours after the vulnerability was discovered, according to the crypto wallet provider’s X thread posted at 8:31 a.m. ET.
The company reminded users to “always Clear Sign your transactions” and that “if there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”
Matthew Lilley, the chief technology officer at decentralized exchange SushiSwap, wrote on X on Thursday morning that, “Fortunately, the damage seems to be limited across the board thanks to a bit of luck and coincidence in discovering this early.”
Users Warned to Still Be Cautious
Ledger said, “The new genuine version should be propagated soon,” and yet people are still cautioning crypto users not to use dApps and crypto protocols. A Synthetix community admin asked everyone in Discord to refrain from interacting with its staking dApp, while Camelot “strongly” recommends “everyone to not interact with ANY DAPP until the situation is entirely clarified.”
“Even after Ledger corrects the bad code in their library, projects using and deploying that library will need to update things before it is safe to use dapps that use Ledger’s web3 libraries,” wrote Polygon Labs VP Hudson Jameson on X.
The codebase of Ledger’s Connector Kit contained a line that said “minimalDrainValue,” the source of the recent vulnerability. This compromise affected front-end users because if people interacted with the interface of decentralized applications such as SushiSwap, Zapper and RevokeCash, a malicious window would pop up and when users connected their wallets, their funds would be drained.
https://twitter.com/bantg/status/1735279127752540465
This is not the first time that Ledger has encountered security concerns. For instance, in 2020 an email impersonating Ledger support used a phishing technique on customers in an attempt to steal their data.
Ledger also faced criticism for its safety policies in May 2023 when it announced its private keys recovery feature, which allowed customers to recover the keys to their Ledger wallet if, for example, they lost them.
This is a developing story and will be updated.
