A Critical Web3 Security Vulnerability
A significant web3 security vulnerability has surfaced, impacting several decentralized applications (dapps). This vulnerability stems from the “LedgerHQ” library, a software library utilized by dapps in conjunction with the crypto hardware wallet service provided by Ledger. The exploit could potentially enable malicious code injection into various dapps’ front-ends, posing a substantial risk to users and their assets.
Multiple Dapps Disable Front-Ends
As a precautionary measure, multiple dapps such as Kyber and RevokeCash have disabled their front-ends in response to this vulnerability.
Supply Chain Attack on Ledger Connect Kit
Reports indicate that hackers replaced the library code with malicious software aimed at draining assets. Security firm Blockaid labeled this incident as a “supply chain attack” on Ledger Connect Kit, estimating a loss of $150,000 within a short period of time.
Potential Compromise of a CDN
The compromised content delivery network (CDN) hosting the software library may have contributed to this issue. Sushi’s chief technology officer Matthew Lilly stated that the CDN account of LedgerHQ/connect-kit was compromised, leading to the injection of malicious JavaScript into multiple dapps that rely on the library.
Software Patch Released
A software patch has been developed and finalized to address this vulnerability. Dapps are advised to adopt this update for enhanced security. Ledger has confirmed the removal of the malicious version of the Ledger Connect Kit and is replacing it with a genuine version.
Exercise Caution with Dapps
Users are strongly advised to refrain from interacting with any dapp until further notice, as there may still be potential risks associated with this security vulnerability.
Hot Take: Protecting Users and Assets in the Web3 Space
A critical web3 security vulnerability has raised concerns over the safety of decentralized applications and users’ assets. The exploit, originating from the LedgerHQ library, allows for malicious code injection into dapps’ front-ends. Multiple dapps have taken precautionary measures by disabling their front-ends, while security experts estimate significant asset losses due to this supply chain attack on Ledger Connect Kit. The compromise of a content delivery network (CDN) hosting the library is believed to be the root cause. A software patch has been released, but caution is advised when interacting with dapps until further notice. Protecting users and their assets remains a top priority in the web3 space.
By
By
By
By
By
By