Life Hacks Depot

Ledger patches vulnerability after multiple DApps using connector library were compromised

Multiple decentralized applications using Ledger’s connector library have been compromised, including SushiSwap and Revoke.cash. Ledger claims the issue has been fixed.

11299 Total views 45 Total shares Listen to article

Update (Dec. 14 at 2:45 pm UTC): This article has been updated to clarify that Ledger has reportedly fixed the issue.

The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised on Dec. 14. Nearly three hours after the security breach was discovered, Ledger reported that the malicious version of the file had been replaced with its genuine version around 1:35 pm UTC.

Ledger is warning users “to always Clear Sign” transactions, adding that the addresses and the information presented on the Ledger screen are the only genuine information. “If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”

SushiSwap chief technical officer Matthew Lilley was among the first to report the issue, noting that a commonly used Web3 connector was compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.

https://twitter.com/MatthewLilley/status/1735275960662921638?ref_src=twsrc%5Etfw

Lilley blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The exec claimed that Ledger’s content delivery network was compromised, with JavaScript being loaded from the compromised network.

READ
FTX, BlockFi claims settlement allowed to proceed, judge declares

Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so draining assets from a user’s account might not happen on its own. However, prompts from a browser wallet like MetaMask will display and could give malicious actors access to the assets.

Lilley warned users to avoid any DApps using the Ledger connector, adding that the “connect-kit” is also vulnerable, and that this isn’t a single isolated attack but a large-scale attack on multiple DApps.

https://twitter.com/phantom/status/1735302375701643649?ref_src=twsrc%5Etfw

Polygon Labs vice president Hudson Jameson said even after Ledger corrects the bad code in its library, projects using and deploying the library will need to update before it is safe to use DApps using Ledger’s Web3 libraries.

Ido Ben-Natan, co-founder and CEO of Blockaid, told Cointelegraph:

https://twitter.com/Ledger/status/1735291427100455293?ref_src=twsrc%5Etfw

Magazine: HTX hacked again for $30M, 100K Koreans test CBDC, Binance 2.0: Asia Express

Related posts

Bitcoin Lightning Exchange FixedFloat Sees ‘Suspicious’ Transfers of $3M to Ethereum, Tron

admin

SEC initiates legal action against FTX’s auditor

admin

FTX court filing reveals former Alameda CEO’s $2.5M yacht purchase

admin