A major vulnerability has been detected that is shaking up the decentralized application (Dapp) world and affecting numerous decentralized finance (DeFi) platforms. SushiSwap’s Chief Technology Officer has issued a serious warning about a security vulnerability arising from the Ledger connection kit. This development caused consternation among the cryptocurrency community.
SushiSwap CTO blames Ledger and warns cryptocurrency community
The front ends of several decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Balancer, and Revoke.cash, were compromised on December 14. SushiSwap chief technical officer Mathew Lilley announced that a widely used Web3 connector has been compromised. It also reported that this allowed malicious code to be injected into a large number of DApps. The on-chain analyst said that the Ledger library confirmed that this code added the offloading account address. These developments received various reactions from the cryptocurrency community.
🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
SushiSwap CTO blames Ledger for the ongoing vulnerability and compromise across multiple DApps. The CTO said Ledger’s content delivery system (CDN) was compromised. He also claimed that what followed was a chain of terrible mistakes. According to the CTO, they first loaded the java script from a CDN which was compromised without version locking the loaded JS.
How did the security vulnerability occur?
Ledger connector is a library used by many DApps and maintained by Ledger. In the latest development, a cryptocurrency wallet drain code has been added. Therefore, emptying a user’s account does not happen on its own. However, prompts from a browser wallet (such as MCC) are displayed, allowing malicious actors to access assets.
DAppsOn-chain analysts have warned users to avoid any DApps that use the Ledger connector. Along these lines, they added that connect-kit-loader is also vulnerable. Any DApp that uses LedgerHQ/connect-kit is vulnerable. On-chain analysts say this is not a single isolated attack. Instead, they state that it was a large-scale attack against multiple dApps.
seems like the Ledger's @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023
Even after Ledger fixes the bad code in its libraries, cryptocurrency projects that use and distribute that library will need to update things so that DApps that use Ledger’s Web3 libraries are safe to use, said Hudson Jameson, vice president of Polygon Labs.
Ledger admits security vulnerability
Ledger, meanwhile, acknowledged the vulnerability in its code. In this regard, Ledger said that they removed a malicious version of Connect Kit. At the same time, an original version is currently being released to replace the malicious file. In this regard, Ledger made the following statement:
We detected and removed a malicious version of Ledger Connect Kit. Currently, the malicious file is replaced with an original version. Do not interact with any dApps for now. We will continue to keep you informed as the situation develops. Your Ledger device and Ledger Live are not in danger.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
