Ledger, a leading cryptocurrency wallet provider, has addressed a vulnerability in its connector library that compromised several decentralized applications (DApps), including notable ones like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash.
On Dec. 14, a security breach involving Ledger’s connector was identified, impacting the front end of these DApps. Ledger confirmed that they rectified the issue by replacing the malicious file with an authentic version by approximately 1:35 pm UTC, nearly three hours post-discovery.
In light of the breach, Ledger is advising users to diligently confirm transaction details on their Ledger device, as discrepancies between the device and computer/phone screens can signal fraudulent activity. The company emphasized:
Matthew Lilley, SushiSwap’s chief technical officer, was one of the first to detect the issue. He revealed that a widely-used Web3 connector was tampered with, leading to malicious code injections in various DApps. According to Lilley, the compromised Ledger library allowed the insertion of a wallet-draining address.
The Ledger connector, a widely used library among DApps, suffered a security flaw where a wallet drainer was integrated, potentially granting attackers access to user assets through browser wallet prompts like MetaMask.
Lilley cautioned users to avoid DApps using the Ledger connector and mentioned that the “connect-kit” was also affected. He described the incident as a broad-scale attack on numerous DApps.
Hudson Jameson, vice president at Polygon Labs, noted that even after Ledger resolves the library issue, projects deploying it must update their systems to ensure the safety of DApps using Ledger’s Web3 libraries.
Ido Ben-Natan, co-founder and CEO of Blockaid, provided further insights to Cointelegraph:
In response, Ledger has confirmed the elimination of the malicious version of the Ledger Connect Kit and is actively implementing an authentic version to secure its network.