Original - Odaily

Author - Loopy

Today, the famous hardware wallet brand Ledger suffered a major security incident. Although Ledger sells its own hardware wallet, this incident has a wide range of impacts, far beyond the wallet itself, and a large number of dApps are exposed to the risk. Currently, there are no statistics on damaged funds.

Odaily reminds users that until the situation becomes clear, please suspend all interactions on the EVM chain.

Whats wrong with Ledger?

First of all, this attack was not targeted at Ledger’s hardware wallet, but at the dApp. On Ledger’s GitHub, the code of the Ledger ConnectKit suite in the Ledger Library has been maliciously tampered with.

The modified part is used in Ledger’s WalletConnect function.

Ledger ConnectKitis a service provided by Ledger, specifically, it can ease the work of developers. As we all know, if a dApp wants to interact, it must connect to the wallet. So how to connect to the wallet? Developers can of course refer to the wallet documentation and develop the code for the connection part by themselves, but a more mature and easier way is to use a third-party, mature connector with excellent experience and directly use the connector developed by a major manufacturer. Connect function.

WalletConnect is one such service. it canLet users’ wallets and dApps be connected, so this function is almost identical toAll users on the chainare all closely related and impact far beyond users of hardware wallets.

What services are affected?

Currently, there is no clear statistics on the full list of affected dApps. However, due to the strong influence of Ledger, a large number of dApps have integrated this function, so it can be judged that the scope of affected dApps is extremely wide.

Odaily once again reminds users to stop all interactions on the EVM chain for now.

Even Revoke.cash, known for its “deauthorize” feature, was affected. This also caused some users who were not affected to encounter risky events when their authorization was cancelled. A community user reported that the Revoke.cash website had serious vulnerabilities. He did not even connect to the wallet, but just opened the front end, and the web page was already trying to implant Trojans into his computer.

Revoke.cash posted on the X platform that Revoke.cash has temporarily closed its website and it is recommended not to use any encrypted websites while the vulnerability is being exploited.

Sushi was one of the first platforms discovered to be affected.Sushi CTO Matthew Lilley said in the X platform warning: Please do not interact with any Dapp until further notice. A common connector (connector) commonly used by Web3 is suspected of being damaged and can now be injected with malicious code that affects many DApps. ” Security team PeckShieldAlert noted that its community contributors reported that the front ends of Zapper and Sushi had been compromised.

The cross-chain DEX project Kyber Network issued a document on the X platform stating that out of caution, it has disabled the front-end UI until the situation is clear.

Currently, some Dapps, including Trader Joe and Hey, have stated that they have actively suspended integration with the Ledger connector until further notice.

Of course, there are also projects that escaped. Aava founder Stani said that Aava has not been affected yet and all funds are safe. But until further clarification from Ledger, still don’t use the DApp.

After the security incident broke out, the market was turbulent, which may have been affected by this incident. Ouyi OKX market shows that BTC once dropped to 41202 USDT, with an amplitude of 4.4% within 1 hour. ETH once dropped to 2226 USDT, with an amplitude of 3.35% within 1 hour.

Latest progress update

Scope Protocol Lianchuang 0xSentry inX platformIt said that among the digital traces left by the attackers was the Gmail account of @JunichiSugiura (Jun, a former Ledger employee), whose account (information) may have been compromised.

22:44,According to Lookonchain monitoring, Ledger Connect Kit vulnerability hackers have stolen approximately $484,000 in assets. Ledger attacker transferred 4.334 ETH to Angel Drainer.

Tether CEO Paolo Ardoino said on the X platform that Tether had just frozen the address of the Ledger exploiter.

Has the security situation been restored?

On December 15 (the day after the incident), Ledger posted on the X platform that the genuine Ledger Connect Kit 1.1.8 secure version had been pushed out. Confirm that the Ledger and WalletConnect malicious code has been deactivated. Users are already safe to use Ledger ConnectKit, but it is recommended to wait 24 hours and clear browser cache.

Ledger CEO issued an open letter stating that he would help affected individuals. The letter states that the incident was the result of a phishing attack on a former employee, which led to malicious actors uploading malicious files to Ledgers NPMJS, a package manager for JavaScript code.
Ledger worked with partners to quickly eliminate the vulnerability and attempted to quickly freeze the stolen funds, which actually ran for less than two hours. The vulnerability, which is limited to third-party DApps using the Ledger Connect Kit, is currently under investigation and Ledger has filed a complaint and will help affected individuals try to recover their funds.
Ledger will support affected users, help find and bring attackers to justice, track funds, and work with law enforcement to help recover stolen assets from hackers.
Previously, Tether CEO Paolo Ardoino posted on the X platform that Tether had frozen the USDT of the Ledger exploiters address.
In addition, Ledger stated that the genuine Ledger Connect Kit 1.1.8 secure version has been pushed out. Confirm that the Ledger and WalletConnect malicious code has been deactivated. Users are already safe to use Ledger ConnectKit, but it is recommended to wait 24 hours and clear browser cache.

Affected websites have also stated that updates have been completed.

Revoke.cash said it had removed the Ledger vulnerability from the site and reopened access to it. Sushi also removed the compromised Ledger connector and the site is now back online.

Although the scope of this incident is huge, it seems that the stolen funds are not huge, which is a blessing among misfortunes. At present, this incident has gradually come to an end.