Multiple DeFi Apps Compromised Due to Malicious Code in Ledger’s ConnectKit Library
Earlier today, several decentralized finance (DeFi) applications fell victim to a cyber attack caused by malicious code inserted into Ledger’s ConnectKit library. This exploit allowed for a “wallet drainer” to steal funds from users’ accounts when connecting to affected dapps.
Key Takeaways:
- The attack impacted various dapps, including SushiSwap, Zapper, Balancer, and Revoke.cash. Users were prompted to connect their wallets, which granted access to drain funds.
- Ledger has acknowledged the issue and removed the malicious code. However, projects using the affected libraries must update to ensure security.
- It is advised to avoid interacting with any dapps that use Ledger’s connector kit until further notice, as funds may still be at risk of being drained.
- The full impact of the attack is still being evaluated, but it is estimated that hundreds of thousands of dollars have already been stolen.
Developers initially reported the issue on Twitter, urging users to refrain from engaging with dapps. Ledger subsequently confirmed the compromise and released an update to replace the malicious code. However, they advised against using any dapps in the interim.
Popular DeFi Platforms Affected
SushiSwap, a leading decentralized exchange, took its front-end offline upon discovering the attack and warned users about the critical issue with Ledger’s connector. Other affected platforms include Zapper, Balancer, and Revoke.cash.
The exploit targeted Ledger’s connector kit, which facilitates transaction signing between its hardware wallets and decentralized apps. By inserting a wallet address tied to the attackers, they were able to drain funds from users’ accounts when approving prompts in the MetaMask browser wallet.
While Ledger hardware wallets and the Ledger Live app remained secure, Web3 users were left vulnerable to the injected malicious JavaScript in the ConnectKit library when approving transactions on dapps.
BlockAid, a cybersecurity firm, reported that at least $150,000 had already been stolen. However, the full extent of the damage is yet to be determined as several dapps were compromised before Ledger removed the malicious code.
Ledger Takes Responsibility
Ledger’s CTO accepted responsibility for the vulnerability, attributing it to a “horrible series of blunders” that led to their content delivery network being compromised. This ultimately enabled the JavaScript attack when users interacted with dapps relying on the Ledger ConnectKit.
Although Ledger has patched the exploit, DeFi platforms using the impacted libraries must update before it is safe to reconnect wallet integration. Developers are working diligently to implement fixes and prevent further thefts while users are advised to avoid decentralized apps for now.
Hot Take: Coordinated Cyber Attack Highlights Risks of Hardware Wallet Integration
This cyber attack serves as a stark reminder of the risks associated with connecting hardware wallets to DeFi platforms. It emphasizes the need for caution when approving transactions. While refraining from interacting with dapps should protect funds, it is crucial to monitor developments closely.
The confirmed amount stolen is already significant, and as affected sites assess whether they unintentionally integrated compromised Ledger libraries, user funds remain at risk. The true extent of this coordinated cyber attack on Web3 infrastructure is still unknown.
By
By
By
By
By