Ledger, a provider of cryptocurrency wallets, has reported that about $600,000 worth of digital assets have been stolen from users’ accounts through a vulnerability in their blind signing feature for EVM-compatible DApps. In response, Ledger has promised to ensure that all affected users are “made whole” and will disable blind signing by June 2024.
Hardware wallet provider Ledger has announced that it will reimburse all users affected by the recent Ledger Connect Kit exploit, which allowed attackers to access and steal cryptocurrency from users’ wallets. The company has stated that it takes full responsibility for the incident and will work to ensure that all users are compensated for their losses.
Following the recent incident, the Chairman & CEO of Ledger, Pascal Gauthier sent a letter on their official blog, addressing the issue. Gauthier stated that the exploit was the result of a former employee falling victim to a phishing attack. This allowed a malicious actor to upload a malicious file to Ledger’s NPMJS package manager, which was then used to access and steal cryptocurrency from user wallets. He also mentioned that the firm has been able to resolve the issue swiftly and would take steps to prevent similar incidents from happening in the future.
In response to the recent exploit, Ledger posted on their official X account (formerly Twitter), on Dec. 20 announcing that the firm is aware of the recent scam that affected users through blind signing on Ethereum Virtual Machine (EVM) decentralized applications (DApps), and that the platform is working towards addressing the issue.
On December 14, 2023, multiple decentralized applications that used Ledger’s connector library were compromised, resulting in significant losses for investors. These included popular platforms such as SushiSwap and Revoke.cash.
Ledger has now announced that it will fully reimburse all victims of the exploit, in an effort to make them “whole” again. The firm stated:
“We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February, 2024. We are already in contact with many impacted users and are actively working through the specifics with them.”
As part of its effort to prevent future exploits, Ledger will work with the decentralized application (DApp) ecosystem to ensure that clear signing is available, which will help users verify all transactions on Ledger devices before signing. However, it will no longer allow blind signing with Ledger devices, and will phase out this functionality by June 2024. The company hopes that this will help to ensure the security of users’ funds in the future.
Ledger also posted on their social media account, warning users to be careful of any phishing and scams, and that users should be aware that the platform only has two authentic social media accounts and would never ask for their 24-word Secret Recovery Phrase.
Read also: Why Rollups present a unique business model in crypto: Insights from Galaxy Ventures Exec