In a startling development on December 14, a significant security breach impacted various decentralized applications (DApps) relying on Ledger’s connector library. Notable platforms affected include SushiSwap, Zapper, and Revokecash, as reported by SushiSwap’s Chief Technical Officer, Mathew Lilley.
🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023
Compromised Web3 Connector Raises Alarms
Lilley revealed that a widely-used Web3 connector associated with Ledger’s library has fallen victim to a breach, allowing the injection of malicious code into multiple DApps. The compromised code reportedly inserted a drainer account address, potentially putting user assets at risk.
Ledger Faces Accountability Amidst Ongoing Vulnerability
Attributing the ongoing vulnerability to Ledger, SushiSwap’s CTO pointed fingers at Ledger’s content delivery system (CDN). Allegedly, a series of critical errors occurred, starting with the loading of compromised JavaScript from an insecure CDN, coupled with the absence of version-locking for the loaded JS.
🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv
— banteg (@bantg) December 14, 2023
Heightened Risks for Users
The compromised Ledger connector library, widely adopted by various DApps, has added a wallet drainer, introducing the possibility of unauthorized asset access. While the draining process may not occur autonomously, prompts from browser wallets, such as MetaMask, may expose users to malicious actors.
On-Chain Analysts Issue Stark Warning
On-chain analysts are urging users to steer clear of any DApps utilizing the Ledger connector, emphasizing the vulnerability of the connect-kit-loader. The severity of the breach prompts a collective call for heightened security measures and a thorough review of applications relying on Ledger’s infrastructure.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
As the situation unfolds, affected DApps are urged to implement immediate security patches, and users are advised to exercise caution and potentially refrain from interacting with Ledger-connected applications until the all-clear is given.
Stay tuned for updates as the DeFi community navigates through this security challenge.
