Cryptocurrency

Security Warning: Avoid Using dApps due to Ledger Connectkit Hack

Multiple decentralized finance (DeFi) applications were compromised earlier today due to malicious code inserted into Ledger’s ConnectKit library. The vulnerability allowed a wallet draining exploit that prompted users to connect wallets when visiting affected dapps, providing access to steal funds.


Keypoints

  • Malicious code was inserted into Ledger’s ConnectKit library, allowing a “wallet drainer” to steal funds from users’ accounts when connecting to decentralized apps (dapps).
  • The attack affected multiple dapps including SushiSwap, Zapper, Balancer, and Revoke.cash. Users were prompted to connect their wallets, which gave access to drain funds.
  • Ledger acknowledged the issue and said they removed the malicious code, but projects using the impacted libraries need to update to stay secure.
  • Users should avoid interacting with any dapps that use Ledger’s connector kit until further notice, as the vulnerability may still allow funds to be drained.
  • So far, funds drained are estimated to be in the hundreds of thousands of dollars, but the full impact is still being evaluated.

The issue was first publicly reported by developers on Twitter, warning users to avoid interacting with dapps. Ledger soon confirmed its ConnectKit library had been compromised and it was pushing an update to replace the malicious code. However, Ledger warned users not to use any dapps in the meantime.

A number of popular DeFi platforms were impacted, including leading decentralized exchange SushiSwap. SushiSwap took its front-end offline upon learning of the attack, warning users of a critical issue with Ledger’s connector. Other affected dapps included Zapper, Balancer, and Revoke.cash.

The malicious code exploited Ledger’s connector kit, which links its hardware wallets to decentralized apps to enable transaction signing. The code inserted a wallet address tied to the attackers, allowing funds to be drained from users’ accounts when approving prompts in the browser wallet MetaMask.

While Ledger hardware wallets and the Ledger Live app itself were not compromised, the injected malicious JavaScript in the ConnectKit library left Web3 users vulnerable when approving transactions on dapps.

According to cybersecurity firm BlockAid, which first identified the wallet drainer payload, at least $150,000 has already been stolen. However, the full damage is still being evaluated as numerous dapps were compromised before Ledger managed to remove the malicious code.

Ledger acknowledged responsibility for the vulnerability, with the company’s CTO citing a “horrible series of blunders” that allowed their content delivery network to be compromised. This enabled the JavaScript attack when users interacted with dapps that relied on the Ledger ConnectKit.

Even after Ledger patched the exploit, DeFi platforms using the impacted libraries will need to update before it is safe to reconnect wallet integration. Developers are scrambling to push fixes to avoid further theft as users are warned to steer clear of decentralized apps for the time being.

The cyber attack underscores the risks associated with connecting hardware wallets to DeFi platforms and serves as a sobering reminder to exercise caution before approving transactions. While funds are likely not at risk if users refrain from interacting with dapps, the potential impact is still unfolding.

Hundreds of thousands have already been confirmed stolen. But as numerous sites evaluate if they unknowingly integrated the compromised Ledger libraries, putting user funds at risk, the full damage of this coordinated cyber attack on Web3 infrastructure remains unknown.

The post Security Warning: Avoid Using dApps due to Ledger Connectkit Hack appeared first on Blockonomi.

Related posts
Cryptocurrency

Earn Passive Income with Agrifi Staking and Transform Agriculture with Blockchain Solutions

Agrifi, an innovative blockchain platform dedicated to enhancing transparency and efficiency in the…
Read more
Cryptocurrency

BC.GAME Strikes a $40 Million Game-Changing Partnership with Leicester City Football Club

BC.GAME, the avant-garde iGaming platform, has forged a remarkable $40 million partnership with the…
Read more
Cryptocurrency

DOGE and SHIB Set for Huge Boost: What It Means for MTAUR

IMAGE ALT: Dogecoin (DOGE) and Shiba Inu (SHIB) Celebrate Minotaurus (MTAUR) IMAGE TITLE: DOGE…
Read more
Newsletter
Become a Trendsetter

Sign up for TheTechly’s Daily Digest and get the latest and trending technology updates.

[mc4wp_form id="729"]