The Ledger Code Library has fallen victim to a security breach, resulting in an unauthorized access that led to the drainage of $480,000. The attacker successfully compromised numerous Web3 decentralized applications (Dapps) in the process.
Matthew Lilley, the Chief Technology Officer (CTO) of SushiSwap, a decentralized exchange, issued a cautionary statement to investors. In his communication, Lilley advised investors to refrain from engaging with any decentralized applications (dApps) until further notice. He disclosed that the platform had been compromised due to a security vulnerability arising from faulty software.
Additionally, CTO Lilley pointed out that the questionable code had its origins in the GitHub page of Ledger, a hardware wallet provider.
“Do not interact with ANY dApp until further notice. A widely used web3 connector appears to have been compromised, allowing injection of malicious code affecting a large number of dApps.”
Yesterday, the security of a code library maintained by Ledger, a prominent crypto wallet provider, was compromised, posing a risk to user funds for a period exceeding five hours. According to etherscan.io, the compromised address contained approximately 66 ETH across 75 tokens, valued at about $98,000. Lookonchain reported that the attacker successfully drained assets amounting to $484,000. Notably, the USDT issuer Tether blacklisted the attacker's address.
Ledger, recognized as the largest hardware wallet provider in terms of user base, communicated on X that a secure version of its Ledger Connect Kit is undergoing automatic propagation. The company advises users to wait for 24 hours before resuming interaction with the connector.
The assailant compromised Ledger's Connect Kit, a widely-used code library facilitating interactions between user wallets and decentralized applications (dApps), through a "supply-chain attack," introducing malicious software into the system.
TODAY UPDATES:
In the latest Update of @Ledger on X Platform they said:
''The genuine Ledger Connect Kit 1.1.8 is now fully propagated. Ledger and WalletConnect can confirm that the malicious code was deactivated. You are now safe to use your Ledger Connect Kit. Reminder that that we always encourage clear signing.''
Right after this post @Artchick.eth on X Platform replied to the update and then Ledger answer to him back that:
''The malicious code has been deactivated from both Ledger and @WalletConnect - dApps are safe to use now. However, as a general opsec recommendation, we recommend to wait 24 hours, and clear browser cache.''
Lastly Ledger CEO Pascal Gauthier went on to call the hack “an unfortunate isolated incident.” He promised that moving forward.
“Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.”
Photo by Max Saeling on Unsplash
Comments