TRENDING

Home » The addition of ‘Wallet drainer’ code to the Ledger library has put crypto on edge.

The addition of ‘Wallet drainer’ code to the Ledger library has put crypto on edge.

A suspected "supply chain attack" on Ledger ConnectKit may expose dapp users to financial loss.

by V. Sinclair
0 comment

Users of cryptocurrency web apps are being advised to avoid the platforms until the outcome of an investigation into a potential cybersecurity incident involving hardware wallet Ledger is known.

Notices of what appears to be malicious code were shared on social media Thursday morning after being discovered in software libraries for Ledger’s ConnectKit, which connects blockchain apps to Ledger devices.

According to BlockAid, a Web3-focused cybersecurity firm, at least $150,000 has been lost as a result of the malicious code slipping into live websites.

According to the firm, users of the ledger are not at risk if they do not transact.

“It is not exploitable on prior approvals,” CEO Ido Ben-Natan told Blockworks, adding that “many websites are still affected and users are getting hit,” implying that the damage could be even greater.

Decentralized trading SushiSwap’s front-end web app was taken offline shortly after the warnings.

“We’ve identified a critical issue the ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps,” the company said.
“Do not interact or connect your wallet if you have the Sushi page open and see an unexpected ‘Connect Wallet’ pop-up.” We’re working hard to get rid of the ledger wallet connector. Please refrain from using any dApps until further notice for your own safety. Keep an eye out for updates.”

Revoke.cash, a service that allows crypto users to reclaim transaction signing powers previously granted to Web3 apps, has also taken its front-end offline in order to prevent users from being duped.

“Revoke.cash specifically is affected, so don’t interact with it,” he said.

Blockworks has contacted Ledger to learn more. Ledger’s official X account confirmed the potential attack vector and stated that the malicious code had been removed.

For the time being, users are advised to avoid front-end apps for crypto platforms.

Ledger was held accountable by SushiSwap’s CTO for the continuous vulnerability and compromise on several DApps. The CTO stated that after Ledger’s content delivery network (CDN) was compromised, a series of horrendous errors occurred, the first of which was loading Java script from a compromised CDN without version-locking the loaded JS.

According to early indications, funds cannot be directly stolen from Ledger devices if no further actions are taken.

Still, it’s best to avoid crypto web apps altogether, according to experts.

Front-end web apps may display malicious transactions for signing, which if confirmed, could result in funds being lost even for those who do not use Ledger devices.

 

Related Posts :

footer logo

@2023 – All Right Reserved.

Incubated bydesi crypto logo