Today might be a good day to stay off decentralized finance (DeFi).
In a recent cybersecurity incident that has sent shockwaves through the decentralized application (dApp) ecosystem, a critical exploit in the Ledger ConnectKit library has been discovered, putting multiple dApps at risk.
The security breach stems from a compromised software library connected to Ledger, a renowned hardware wallet provider, and has raised serious concerns over the safety of digital assets.
Origin of the Exploit: How Was Ledger ConnectKit Compromised?
Developers first identified the vulnerability on Twitter, which was later confirmed by security firm BlockAid as a “supply chain attack” on Ledger’s ConnectKit.
🚨 We've detected a potential supply chain attack on ledgerconnect kit 🚨
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T— Blockaid (@blockaid_) December 14, 2023
The attackers replaced the legitimate library software with malicious code designed to drain assets from unsuspecting users.
SushiSwap CTO Matthew Lilley identified the root cause as a compromise of the content delivery network (CDN) hosting the ConnectKit software library.
According to Lilley, any dApp using Ledger’s ConnectKit was susceptible to the exploit.
No, LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
Impact on Decentralized Applications (dApps)
The attack’s implications were immediate and widespread, with repercussions across the crypto industry.
Several prominent dApps, including Kyber and RevokeCash, acknowledged the threat and disabled their front ends as a precautionary measure.
The injected malicious code could affect the front ends of multiple dApps, leading to a significant risk for users and their assets.
Blockaid estimated the initial loss at around $150,000, which later escalated to over half a million dollars.
Tether blocked the address of #LedgerExploiter 40 mins ago.https://t.co/4SS83UcCrKhttps://t.co/VwI6QYkw4E pic.twitter.com/jtupm8VPkC
— Lookonchain (@lookonchain) December 14, 2023
In response, stablecoin issuer Tether blacklisted the hacker’s address to prevent further transactions.
Ledger’s Crisis Response and Updated Security Measures
Ledger quickly acknowledged the issue, stating, “We have identified and removed a malicious version of the Ledger ConnectKit. A genuine version is being pushed to replace the malicious file now.”
They advised users not to interact with any dApps until the situation was fully resolved.
The hardware wallet manufacturer emphasized that Ledger devices and the Ledger Live app were not compromised in the attack.
Later, in an industry-wide alert, MetaMask, a leading Web3 wallet app, warned that the incident affected all users, not just Ledger customers.
For all the devs on 🦊SDK asking:
"metamask/sdk" is not affected "metamask/sdk-react" is not affected. "metamask/sdk-react-ui" is using this package as a Wagmi dependency but an older version (1.1.0) so it's not affected cause this issue is happening in version 1.1.7. On top of…
— Francesco Andreoli | andreolf.ethᵍᵐ (@francescoswiss) December 14, 2023
MetaMask promptly deployed a fix for its app and urged users to update to the latest version for safety.
The Scope and Severity of the Latest Crypto Attack
The compromised version of the Connect Kit, essential for the interaction between Ledger hardware wallets and dApps, facilitated unauthorized asset transfers.
READ MORE: Biggest Crypto Hacks of 2023
Ethereum core developer liaison Hudson Jameson underscored the risk, advising users to exercise caution with dApps until the impacted projects updated their systems with Ledger’s corrected code.
While the exact sum lost so far has yet to be calculated, this incident is not Ledger’s first encounter with security issues.
🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv
— banteg (@bantg) December 14, 2023
In November this year, a fraudulent Ledger app on the Microsoft App Store led to nearly $1 million in losses.
Additionally, in 2020, Ledger faced backlash after a hack compromised over a million user emails.
Ledger’s recent voluntary ID-based Recover service, though unrelated to this exploit, also drew criticism for perceived security flaws.
The Bottom Line: A Wake-Up Call for Enhanced Security Measures
The exploitation of Ledger’s ConnectKit library serves as a stark reminder of the vulnerabilities in the digital asset ecosystem, particularly concerning third-party integrations and dependencies.
As the crypto industry continues to evolve, the importance of robust security measures and rapid response protocols cannot be overstated.
For users and developers alike, this incident highlights the need for heightened vigilance and a comprehensive understanding of the underlying technologies and libraries they depend on.
For today, and every day… Tread carefully.