Ledger Attack: An Isolated Event, CEO Says

• Ledger quickly resolves a vulnerability that affected multiple DApps, including SushiSwap and Revoke.cash, strengthening security on its platform.
• The security breach in Ledger’s connector library underscores the importance of constant vigilance in the crypto eco.

On the morning of December 14, a former Ledger employee suffered a phishing attack that allowed a hacker to access his NPMJS account. The hacker posted a malicious version of the Ledger Connect Kit, affecting versions 1.1.5, 1.1.6 and 1.1.7.

The malicious code used a fraudulent WalletConnect project to redirect funds to the attacker’s wallet. Ledger, realizing the problem, reacted quickly and managed to deploy a patch in just 40 minutes. However, the malicious file was active for approximately 5 hours, with a misappropriation of funds period of at least two hours.

This library vulnerability affected several decentralized applications (DApps), including SushiSwap and Revoke.cash.

The Scope of the Vulnerability

The security flaw affected the front end of multiple DApps using the Ledger connector, such as Zapper, Phantom, Balancer and Revoke.cash. The issue was detected and reported on December 14.

Ledger acted quickly and, approximately three hours after the discovery of the breach, replaced the malicious version of the file with its authentic version at around 1:35 pm UTC.

Incident Reporting and Analysis

Matthew Lilley, CTO of SushiSwap, was one of the first to report the problem. He noticed that a commonly used Web3 connector had been compromised, allowing malicious code to be injected into numerous DApps. According to analysis, the Ledger library confirmed the compromise, where the vulnerable code inserted the address of a drain account.

Cautions for Ledger Users

The Ledger connector is a library used by many DApps and maintained by Ledger. While the addition of a wallet drainer does not necessarily result in automatic loss of assets, it could allow malicious actors to access these assets through browser wallet requests such as MetaMask.

Lilley warned users to avoid DApps that use the Ledger connector and noted that the connect-kit is also vulnerable. He stressed that this is not an isolated attack, but a large-scale attack affecting multiple DApps.

Expert Statements and Proposed Solutions

Hudson Jameson, vice president of Polygon Labs, mentioned that even after Ledger fixes the flawed code in its library, projects that use and implement it will need to update it before it is safe to use DApps that employ Ledger’s Web3 libraries.

Ido Ben-Natan, co-founder and CEO of Blockaid, advised Ledger users that they are not at risk if they do not transact and that it is not exploitable in pre-approvals. He specifically noted that Revoke.cash is affected and recommended not interacting with it. He mentioned that the number of impacted funds amounts to hundreds of thousands of dollars in the last two hours and that many websites are still affected.

Collaboration to Resolve the Crisis

Ledger worked closely with WalletConnect, who quickly disabled the fraudulent project. The authentic and secure version of the Ledger Connect kit, version 1.1.8, is now available for use.

Additional Security Measures

As an additional security measure, the Connect kit development team in the NPM project is now read-only, meaning that they cannot directly send the NPM package. Ledger has also changed the publishing secrets on GitHub. Developers are urged to check out and use the latest version, 1.1.8.

Acknowledgements and Focus on Security

Ledger thanks WalletConnect, Tether, Chainalysis, Zachxbt and the entire community for their help and support in identifying and resolving the attack. The company reaffirms its commitment to security and stresses that it will prevail with the help of the entire eco.

Importance of Security in the Crypto Eco

This incident serves as a critical reminder about the importance of security in the cryptocurrency eco. Ledger’s quick response and the collaboration of the crypto community demonstrate resilience and adaptability in the face of security threats.

However, it also underscores the continued need for vigilance and caution on the part of users when interacting with DApps and transacting in cryptocurrencies. With the growing interest and adoption of cryptocurrencies, ensuring the security and trust of users remains a key pillar for the sustainable development of the crypto eco.