Ledger patches vulnerability after multiple DApps using connector library were compromised
Multiple decentralized applications using Ledger’s connector library have been compromised, including SushiSwap and Revoke.cash. Ledger claims the issue has been fixed.
11299 Total views 45 Total shares Listen to article
Lilley blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The exec claimed that Ledger’s content delivery network was compromised, with JavaScript being loaded from the compromised network.
seems like the Ledger's @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023
Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so draining assets from a user’s account might not happen on its own. However, prompts from a browser wallet like MetaMask will display and could give malicious actors access to the assets.
Lilley warned users to avoid any DApps using the Ledger connector, adding that the “connect-kit” is also vulnerable, and that this isn’t a single isolated attack but a large-scale attack on multiple DApps.
Polygon Labs vice president Hudson Jameson said even after Ledger corrects the bad code in its library, projects using and deploying the library will need to update before it is safe to use DApps using Ledger’s Web3 libraries.
looks like $610K+ drained
drainer customer
0x658729879fca881d9526480b82ae00efc54b5c2d
drainer fee address
0x412f10AAd96fD78da6736387e2C84931Ac20313f pic.twitter.com/Rld2BsKNDo— ZachXBT (@zachxbt) December 14, 2023
Ido Ben-Natan, co-founder and CEO of Blockaid, told Cointelegraph:
Magazine: HTX hacked again for $30M, 100K Koreans test CBDC, Binance 2.0: Asia Express