Ledger quickly resolves a vulnerability affecting multiple DApps, including SushiSwap and Revoke.cash, strengthening security on its platform. The security breach in Ledger’s connector library underscores the importance of constant vigilance in the crypto ecosystem.
On the morning of December 14, a former Ledger employee suffered a phishing attack that allowed a hacker to access his NPMJS account. The hacker published a malicious version of the Ledger Connect Kit, affecting versions 1.1.5, 1.1.6 and 1.1.7.
Ledger, upon realizing the problem, reacted quickly and managed to deploy a patch in just 40 minutes. However, the malicious file was active for approximately 5 hours, with an embezzlement period of at least two hours. This library vulnerability affected several decentralized applications (DApps), including SushiSwap and Revoke.cash.
Scope of Vulnerability
The security flaw affected the interface of multiple DApps that use the Ledger connector, such as Zapper, Phantom, Balancer, and Revoke.cash. The problem was detected and reported on December 14. Ledger acted quickly and, approximately three hours after the discovery of the breach, replaced the malicious version of the file with its authentic version around 1:35 p.m. UTC.
Incident Reports and Analysis
Matthew Lilley, CTO of SushiSwap, was one of the first to report the issue. It was realized that a commonly used Web3 connector had been compromised, allowing malicious code to be injected into numerous DApps. According to the analysis, the Ledger library confirmed the compromise, where the vulnerable code inserted the address of a drain account.
Lilley’s report on X went as follows:
“What happened? In short, @Ledger made a chain of terrible blunders.
1. They are loading JS from a CDN.
2. They are not version locking loaded JS.
3. They had their CDN compromised.
I would avoid using ANY dApps until their teams confirm that they have mitigated the attack.”
Precautions for Ledger Users
The Ledger connector is a library used by many DApps and maintained by Ledger. While adding a wallet drain does not necessarily result in automatic loss of assets, it could allow malicious actors to access these assets via browser wallet requests, such as MetaMask.
Lilley further stated via X that “ANY dApp which makes use of LedgerHQ/connect-kit is vulnerable. Don’t use ANY dApps until further notice. This isn’t a single isolated attack, it’s a large-scale attack on multiple dApps.”
Expert Statements and Proposed Solutions
Hudson Jameson, vice president of Polygon Labs, mentioned that even after Ledger fixes the broken code in its library, projects that use and implement it will need to update it before it is safe to use DApps that employ Ledger’s Web3 libraries:
“Ledger Library Exploit Explainer for Average Folks. What is going on with the recent alerts not to use dapps? A library that is used by many dapps that is maintained by Ledger was compromised and a wallet drainer was added.
What do I do as a normal user? Do not interact with any dapp front ends on websites for now. This is an ongoing situation and it is risky to use dapps currently if you don’t understand what backend libraries they use (…)”
Ido Ben-Natan, co-founder and CEO of Blockaid, warned Ledger users that they are not at risk if they do not transact and that pre-approvals cannot be exploited. He specifically noted that Revoke.cash is affected and recommended not interacting with it. He mentioned that the amount of funds impacted amounts to hundreds of thousands of dollars in the last two hours and that many websites are still affected.
By Audy Castaneda
