Multiple decentralized finance (DeFi) applications were compromised earlier today due to malicious code inserted into Ledger’s ConnectKit library. The vulnerability allowed a wallet draining exploit that prompted users to connect wallets when visiting affected dapps, providing access to steal funds.
Keypoints
- Malicious code was inserted into Ledger’s ConnectKit library, allowing a “wallet drainer” to steal funds from users’ accounts when connecting to decentralized apps (dapps).
- The attack affected multiple dapps including SushiSwap, Zapper, Balancer, and Revoke.cash. Users were prompted to connect their wallets, which gave access to drain funds.
- Ledger acknowledged the issue and said they removed the malicious code, but projects using the impacted libraries need to update to stay secure.
- Users should avoid interacting with any dapps that use Ledger’s connector kit until further notice, as the vulnerability may still allow funds to be drained.
- So far, funds drained are estimated to be in the hundreds of thousands of dollars, but the full impact is still being evaluated.
The issue was first publicly reported by developers on Twitter, warning users to avoid interacting with dapps. Ledger soon confirmed its ConnectKit library had been compromised and it was pushing an update to replace the malicious code. However, Ledger warned users not to use any dapps in the meantime.
A number of popular DeFi platforms were impacted, including leading decentralized exchange SushiSwap. SushiSwap took its front-end offline upon learning of the attack, warning users of a critical issue with Ledger’s connector. Other affected dapps included Zapper, Balancer, and Revoke.cash.
???????????? RED ALERT ????????????:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I'm Software ???????? (@MatthewLilley) December 14, 2023
The malicious code exploited Ledger’s connector kit, which links its hardware wallets to decentralized apps to enable transaction signing. The code inserted a wallet address tied to the attackers, allowing funds to be drained from users’ accounts when approving prompts in the browser wallet MetaMask.
While Ledger hardware wallets and the Ledger Live app itself were not compromised, the injected malicious JavaScript in the ConnectKit library left Web3 users vulnerable when approving transactions on dapps.
According to cybersecurity firm BlockAid, which first identified the wallet drainer payload, at least $150,000 has already been stolen. However, the full damage is still being evaluated as numerous dapps were compromised before Ledger managed to remove the malicious code.
???? We've detected a potential supply chain attack on ledgerconnect kit ????
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T— Blockaid (@blockaid_) December 14, 2023
Ledger acknowledged responsibility for the vulnerability, with the company’s CTO citing a “horrible series of blunders” that allowed their content delivery network to be compromised. This enabled the JavaScript attack when users interacted with dapps that relied on the Ledger ConnectKit.
????We have identified and removed a malicious version of the Ledger Connect Kit. ????
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
Even after Ledger patched the exploit, DeFi platforms using the impacted libraries will need to update before it is safe to reconnect wallet integration. Developers are scrambling to push fixes to avoid further theft as users are warned to steer clear of decentralized apps for the time being.
The cyber attack underscores the risks associated with connecting hardware wallets to DeFi platforms and serves as a sobering reminder to exercise caution before approving transactions. While funds are likely not at risk if users refrain from interacting with dapps, the potential impact is still unfolding.
Hundreds of thousands have already been confirmed stolen. But as numerous sites evaluate if they unknowingly integrated the compromised Ledger libraries, putting user funds at risk, the full damage of this coordinated cyber attack on Web3 infrastructure remains unknown.