Multiple DApps using the Ledger connector library compromised
The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Balancer and Revoke.cash, were compromised on Dec. 14.
SushiSwap chief technical officer Mathew Lilley reported that a commonly used Web3 connector has been compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.
RED ALERT :
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps. — I'm Software (@MatthewLilley) December 14, 2023
Lilley blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The exec claimed that Ledger’s content delivery network was compromised, with JavaScript being loaded from the compromised network.
Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so draining assets from a user’s account might not happen on its own. However, prompts from a browser wallet like MetaMask will display and could give malicious actors access to the assets.
Lilley warned users to avoid any DApps using the Ledger connector, adding that the “connect-kit” is also vulnerable, and that this isn’t a single isolated attack but a large-scale attack on multiple DApps.
seems like the Ledger's @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q — Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023
Polygon Labs vice president Hudson Jameson said even after Ledger corrects the bad code in its library, projects using and deploying the library will need to update before it is safe to use DApps using Ledger’s Web3 libraries.
Ido Ben-Natan, co-founder and CEO of Blockaid, told Cointelegraph:
“Ledger users are not at risk if not transacting. It is not exploitable on prior approvals. Revoke.cash specifically is affected, so don’t interact with it. the number of impacted funds is hundreds of thousands of dollars over the past two hours. Many websites are still affected, and users are getting hit.”
Related: KyberSwap hacker demands complete control over Kyber company
Ledger acknowledged the vulnerability in its code and said it has “removed a malicious version of the Ledger Connect Kit,” adding that “a genuine version is being pushed to replace the malicious file now.“
We have identified and removed a malicious version of the Ledger Connect Kit.
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.