Users of cryptocurrency web apps are being advised to avoid the platforms until the outcome of an investigation into a potential cybersecurity incident involving hardware wallet Ledger is known.
Notices of what appears to be malicious code were shared on social media Thursday morning after being discovered in software libraries for Ledger’s ConnectKit, which connects blockchain apps to Ledger devices.
According to BlockAid, a Web3-focused cybersecurity firm, at least $150,000 has been lost as a result of the malicious code slipping into live websites.
According to the firm, users of the ledger are not at risk if they do not transact.
“It is not exploitable on prior approvals,” CEO Ido Ben-Natan told Blockworks, adding that “many websites are still affected and users are getting hit,” implying that the damage could be even greater.
Decentralized trading SushiSwap’s front-end web app was taken offline shortly after the warnings.
“We’ve identified a critical issue the ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps,” the company said.
“Do not interact or connect your wallet if you have the Sushi page open and see an unexpected ‘Connect Wallet’ pop-up.” We’re working hard to get rid of the ledger wallet connector. Please refrain from using any dApps until further notice for your own safety. Keep an eye out for updates.”
Revoke.cash, a service that allows crypto users to reclaim transaction signing powers previously granted to Web3 apps, has also taken its front-end offline in order to prevent users from being duped.
“Revoke.cash specifically is affected, so don’t interact with it,” he said.
⚠️⚠️⚠️⚠️⚠️⚠️
Warning: Multiple popular crypto applications that integrate with Ledger’s ConnectKit library, including https://t.co/MkINKOiX5N have been compromised. We temporarily took the website offline as we’re investigating further. We recommend not using *any* crypto website…— Revoke.cash (@RevokeCash) December 14, 2023
Blockworks has contacted Ledger to learn more. Ledger’s official X account confirmed the potential attack vector and stated that the malicious code had been removed.
For the time being, users are advised to avoid front-end apps for crypto platforms.
Ledger was held accountable by SushiSwap’s CTO for the continuous vulnerability and compromise on several DApps. The CTO stated that after Ledger’s content delivery network (CDN) was compromised, a series of horrendous errors occurred, the first of which was loading Java script from a compromised CDN without version-locking the loaded JS.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
According to early indications, funds cannot be directly stolen from Ledger devices if no further actions are taken.
Still, it’s best to avoid crypto web apps altogether, according to experts.
Front-end web apps may display malicious transactions for signing, which if confirmed, could result in funds being lost even for those who do not use Ledger devices.