Update (Dec. 14 at 2:45 pm UTC): This article has been updated to clarify that Ledger has reportedly fixed the issue.
The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised on Dec. 14. Nearly three hours after the security breach was discovered, Ledger reported that the malicious version of the file had been replaced with its genuine version around 1:35 pm UTC.
Ledger is warning users "to always Clear Sign" transactions, adding that the addresses and the information presented on the Ledger screen are the only genuine information. “If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”
SushiSwap chief technical officer Matthew Lilley was among the first to report the issue, noting that a commonly used Web3 connector was compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.
Lilley blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The exec claimed that Ledger’s content delivery network was compromised, with JavaScript being loaded from the compromised network.
Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so draining assets from a user’s account might not happen on its own. However, prompts from a browser wallet like MetaMask will display and could give malicious actors access to the assets.
Lilley warned users to avoid any DApps using the Ledger connector, adding that the “connect-kit” is also vulnerable, and that this isn’t a single isolated attack but a large-scale attack on multiple DApps.
Polygon Labs vice president Hudson Jameson said even after Ledger corrects the bad code in its library, projects using and deploying the library will need to update before it is safe to use DApps using Ledger’s Web3 libraries.
Ido Ben-Natan, co-founder and CEO of Blockaid, told Cointelegraph:
“Ledger users are not at risk if not transacting. It is not exploitable on prior approvals. Revoke.cash specifically is affected, so don’t interact with it. the number of impacted funds is hundreds of thousands of dollars over the past two hours. Many websites are still affected, and users are getting hit.”
Related: KyberSwap hacker demands complete control over Kyber company
Ledger acknowledged the vulnerability in its code and said it has “removed a malicious version of the Ledger Connect Kit,” adding that “a genuine version is being pushed to replace the malicious file now.“
Magazine: HTX hacked again for $30M, 100K Koreans test CBDC, Binance 2.0: Asia Express
