In a statement, Ledger emphasized its focus on addressing the recent security incident and preventing similar occurrences in the future. Ledger says that some $600,000 in assets were stolen from users blind signing into EVM DApps, and that it will ensure all victims are “recompensated,” while Blind Signing will be desanctioned in June 2024.
Hardware wallet maker Ledger has responded to a recent security breach that resulted in the theft of user assets worth $600,000. The company has committed to improving its security protocols by eliminating blind signing, a process in which transactions are displayed in code instead of plain language, by June 2024.
Ledger took to X (formerly Twitter) on December 20 to announce that the company is aware that around $600,000 in assets were affected or stolen from users through blind signing on Ethereum Virtual Machine decentralized applications (DApps).
Multiple decentralized applications using Ledger’s connector library — including SushiSwap and Revoke.cash — were compromised on December 14, 2023, resulting in massive losses by investors.
Ledger Takes Responsibility for ConnectKit Attack
In a statement, Ledger acknowledged the approximately $600,000 in assets that were affected by the ConnectKit attack, which particularly affected users blindly signing into Ethereum Virtual Machine (EVM) decentralized applications (dApps).
Additionally, Ledger committed to ensuring that affected victims receive full compensation, including non-Ledger clients, and that CEO and President Pascal Gauthier personally oversees the restitution process.
According to the statement, Ledger has already initiated contact with affected users and is actively working with them to resolve their specific cases. By June 2024, blind signing will no longer be supported on Ledger devices, contributing to a “new standard of user protection” and advocating for “clear signing,” which refers to a process that allows users verify transactions in their Ledger devices before signing them into dApps.
In this regard, Ledger CEO Pascal Gauthier stated the following:
“My personal commitment: Ledger will dedicate as many internal and external resources as possible to help affected people recover their assets.”
Reinforced Security Measures for dApps
According to an incident report published by the hardware wallet manufacturer, the attack leveraged the Ledger Connect kit, injecting malicious code into dApps that use the kit. This malicious code redirected assets to the attacker’s wallets, tricking EVM dApp users into “unknowingly signing transactions” that depleted their wallets.
Ledger addressed the attack by deploying a genuine fix for the Connect Kit within 40 minutes of detection. The compromised code remained accessible for a limited time due to the nature of content delivery networks (CDNs) and caching mechanisms.
The company recognized the risks the entire industry faces in protecting users and emphasized the need to continually raise the standard of security in dApps, and it plans to strengthen its access controls, conduct audits of internal and external tools, strengthen code signing, and improve infrastructure monitoring and alert systems.
Additionally, Ledger will educate users on the importance of clear signing and the potential risks associated with blindly signing transactions without a secure display. In particular, with Clear Signing, users are presented with a clear, readable representation of the transaction details, allowing them to review and validate the transaction before providing their signature.
Such additional layer of transparency and verification helps users mitigate the risks associated with front-end attacks or malicious code injected into decentralized applications.
Ledger’s response to this incident is crucial not only for the victims, but for the DeFi ecosystem as a whole, reaffirming the need for strong security and protection measures for cryptocurrency users.
By Leonardo Perez
