The Front End of Multiple DApps Compromised
The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash were compromised on Dec. 14. Ledger reported that the malicious version of the file had been replaced with its genuine version.
Always Clear Sign Transactions
Ledger warns users to always clear sign transactions and emphasizes that the addresses and information displayed on the Ledger screen are the only genuine ones. If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop the transaction immediately.
Ledger Blamed for Vulnerability
SushiSwap’s CTO Matthew Lilley blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. He claimed that Ledger’s content delivery network was compromised, with JavaScript being loaded from the compromised network.
Library Used by Many DApps
Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, which prompts a browser wallet like MetaMask to display and could give malicious actors access to assets.
Update Required for Safety
Hudson Jameson from Polygon Labs stated that even after Ledger corrects the bad code in its library, projects using and deploying the library will need to update before it is safe to use DApps using Ledger’s Web3 libraries.
Impact on Funds and Websites
Ido Ben-Natan, co-founder and CEO of Blockaid, revealed that hundreds of thousands of dollars have been impacted over the past two hours due to the vulnerability. Many websites are still affected, and users are being hit.
Ledger’s Response and Genuine Version
Ledger acknowledged the vulnerability in its code and removed the malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file. Users are advised not to interact with any DApps for the moment.
Hot Take: Ledger Faces Security Breach Compromising Multiple DApps
A security breach in Ledger’s connector has compromised the front end of multiple DApps, including popular ones like Zapper and SushiSwap. The breach allowed malicious code to be injected into these applications, potentially giving attackers access to users’ assets. Ledger has warned users to always clear sign transactions and ensure that the information displayed on their device matches their computer or phone screen. SushiSwap’s CTO blamed Ledger for the vulnerability, stating that their content delivery network was compromised. While Ledger has removed the malicious version of their library, users are advised to avoid using DApps connected to Ledger until updates have been made for safety.
By
By
By
By
By
By