Malicious code was hidden in the Ledger Wallet Connect library.
Key Takeaways
- A compromised Ledger software library affected dozens of decentralized applications.
- After the vulnerability was flagged, Ledger rolled out a security patch.
- But DApp users could still be at risk from the exploit, putting their crypto at risk
Malicious code discovered in software libraries for Ledger’s Connect Kit threatens the security of many popular decentralized applications (dApps), with users being warned that their crypto is at risk.
After the compromised library was initially flagged on Thursday, December 14, Ledger rolled out a patch. It was, however, too late to prevent dApps, including hey.xyz and SushiSwap (SUSHI) from being exploited. With the full consequences of the incident still uncertain, CCN explores how to keep your crypto safe.
Check Ledger Connect Kit Vulnerability Status Before Using Any DApps
Ledger Connect Kit is a software library used by dApps to help their connection with Ledger hardware wallets. In a far-reaching attack, the compromised version of ConnectKit took control of various apps and services, injecting code designed to steal crypto from their users’ wallets. All wallets are vulnerable to this type of “supply-chain” hack, not just Ledger ones.
On Thursday afternoon, dApps, including Revoke.cash, were temporarily suspended by developers amid reports of users’ funds being drained. A warning from SushiSwap said: “If you have the Sushi page open and see an unexpected ‘Connect Wallet’ pop-up, DO NOT interact or connect your wallet.”
Ledger’s ConnectKit is used by 287 different apps and protocols identified in SourceGraph’s code database. Althought most dApps moved quickly to remove the malicious library, users should verify with a trusted sourced that it is safe to connect with a dApp.
Although the dApps have now updated with Ledger’s emergency Connect Kit security patch, that doesn’t automatically make them safe for all users.
Clear Browser Cache
After scrambling to contain the situation when the alarm was initially raised, later on Thursday afternoon, Ledger deployed an uncompromised version of Connect Kit, which it said propagated automatically.
The company asked Web3 developers to check they were using the latest version. For maximum security, it also recommended pausing Connect Kit development for 48 hours.
DApp users could still be vulnerable if they visited one of the affected websites before Ledger rolled out its patch.
To protect yourself from any dangerous code that could be stored in your browser, be sure to clear its cache before connecting to any dApps.
Clear Sign when Possible
As well as taking extra steps to protect themselves from the effects of the recent Ledger exploit, it is also important that users follow crypto security best practices.
Ledger has encouraged users to use a transaction approval technique known as clear signing. Clear signing is intended to prevent users from being misled about the details of a transaction.
Considering so many crypto hacks stem from people signing transactions they think are innocuous, only to end up with their wallets drained, clear signing can be a valuable security feature for DApp users.
Don’t Let Your Guard Down
Perhaps the most significant consequence of Thursday’s hack is the lasting damage it will do to Ledger’s reputation.
In an open letter , Ledger CEO Pascal Gauthier said the malicious code was traced back to a JavaScript package manager account. According to Gauthier, the account was compromised after a former employee fell victim to a phishing attack.
You read that correctly. A so-called security company responsible for thousands of customers’ wallets and critical crypto payment infrastructure let an ex-staff member send poisoned code to hundreds of DApps.
In the wake of the attack, many in the blockchain security industry have renewed calls for Ledger to open source more of its products. They argue that enhanced transparency could help identify software vulnerabilities sooner.
