Ledger’s API recently caused a security flaw affecting various dApps, including SushiSwap and Revoke.cash, which uses the Ledger connector library. Ledger promptly released a fix.
On December 14, a security breach impacted dApps like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, prompting Ledger to replace the compromised file with the original version within three hours of detection, around 1:35 pm UTC.
As a precaution, Ledger advised users to utilize the “Clear Sign” feature and verify the address and information on the Ledger screen when using DApps.
“If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”
Matthew Lilley, CTO of SushiSwap, reported the vulnerability in a widely-used Web3 connector exploited to inject malicious code into multiple DApps. Lilley noted that the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.
He attributed the security breach to Ledger’s delayed response to the issue, citing a compromise of Ledger’s CDN as the root cause, leading to malicious JavaScript injection into multiple DApps.
The vulnerability affected the ledger connector, a library maintained by Ledger and used by numerous DApps, and to address potential wallet drainers, a mechanism preventing automatic asset drainage has been implemented.
While the vulnerability didn’t automatically execute malicious code, it could prompt users via their browser wallet to grant access to a malicious actor, risking asset compromise.
Meanwhile, Lilley warned users to avoid Ledger connector-based dApps, highlighting the vulnerability’s impact on the ‘connect-kit’ library. This incident is part of a coordinated attack on multiple DApps.
Despite Ledger fixing its library, Hudson Jameson, VP of Polygon Labs, noted that DApps using the library must update to avoid continued exposure to malicious code.
Ledger acknowledged the vulnerability, taking steps to remove the malicious version of the Connect Kit.
The attack is beyond Ledger
Leading non-custodial web wallet has also spoken on the exploit. MetaMask noted that the attack is not limited to Ledger users and affects everyone. It also added that it has deployed a fix for MetaMask Portfolio and users on the latest version of v2.121.0 will be able to transact again and will be updated automatically.
Developer Relations at MetaMask Francesco Andreoli also commented on this issue saying:
“”metamask/sdk” is not affected “metamask/sdk-react” is not affected. “metamask/sdk-react-ui” is using this package as a Wagmi dependency but an older version (1.1.0) so it’s not affected cause this issue is happening in version 1.1.7. On top of that our integration as MetaMask SDK Connector in Wagmi V1 & V2 are also not affected.”
Read also: Why Rollups present a unique business model in crypto: Insights from Galaxy Ventures Exec
