December 14, 2023

Caution Urged: Ledger Library Compromised, Users Advised to Avoid dApps

Ledger, the hardware wallet manufacturer, issues a warning against connecting to decentralized applications (dApps) following the discovery of a compromised version of its Ledger Connect Kit.

Hardware wallet manufacturer Ledger has issued a cautionary notice, urging users to refrain from connecting to decentralized applications (dApps) in light of the identification of a malicious iteration of the Ledger Connect Kit.

A Ledger spokesperson conveyed:

“We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment.”

The spokesperson reassured users that Ledger devices and the Ledger Live app remained uncompromised, emphasizing that the company would keep users informed as the situation developed.

In response to the attack, software wallet developer MetaMask also advised users to "stop using dApps".

The compromised version of the Connect Kit, a library facilitating the connection between the Ledger hardware wallet and dApps, was initially identified by developers on X. Web3 security firm BlockAid reported that the attacker injected a wallet-draining payload into the Ledger Connect Kit's NPM package, affecting dApps that utilized versions 1.1.4 and above of Ledger's Connect Kit, including Sushi.com and Hey.xyz.

SushiSwap CTO Matthew Lilley criticized Ledger for a "chain of terrible blunders", highlighting the compromise of a widely used web3 connector that allows for the injection of malicious code into numerous dApps.

Ethereum core developer Hudson Jameson explained:

"A library that is used by many dApps that is maintained by Ledger was compromised and a wallet drainer was added."

Jameson emphasized the current risk associated with using dApps, especially for users unfamiliar with the back-end libraries they employ. He noted that even after Ledger rectifies the code, projects using the compromised library must update before it is safe to use dApps employing Ledger's web3 libraries.

Ledger has faced recent criticism regarding its security, including concerns about its voluntary ID-based Recover service. Although unrelated to the recent attack, this service has drawn criticism for splitting a user's seed phrase and storing it with three separate custodians, requiring users to provide their passport or national identity card as identification.

In past incidents, Ledger encountered scrutiny for a fraudulent app on the Microsoft App Store in November, resulting in the drainage of nearly $1 million from unsuspecting customers. In 2020, the company faced criticism after a customer email database was hacked, compromising over a million user emails.

Important security update

In the wake of the now released Ledger Connect Kit (LCK) version 1.1.8 update, it's imperative for users to stay informed and exercise caution. The Ledger and WalletConnect teams have successfully neutralized malicious code, reassuring developers of the safety of their operations.

However, for retail users, a word of caution is in order. If you accessed any websites this morning, irrespective of whether you initiated a transaction, there's a potential risk lingering in your browser's cache.

If feasible, consider refraining from using all dApps for the next 48 hours. This allows any cached data related to the now-deactivated code to naturally expire, minimizing any potential risks.

Stay Connected
Join the conversation on 𝕏
@ahapcrypto
Make a Difference
Support our content creators
and help us stay ad-free
BTC: bc1q6nt2u2u539kjgfn5hj8g9f8xk2hnwuudlrlnr9
Cryptocurrency news & learning platform
All Rights Reserved Â© 2024