Ledger library flaw affects SushiSwap, Revoke.cash dapps

SushiSwap Chief Technical Officer Mathew Lilley has disclosed the compromise of a widely employed web3 connector within Ledger’s delivery network.

The breach has enabled malicious code injection into numerous decentralized applications (dapps). Lookonchain said the hacker stole $484,000 in assets, including 4.334 Ether, and the Angel Drainer phishing scam continues to receive assets, currently holding $363,000 worth.

In an update, Tether has frozen the Ledger exploiter’s address, effectively ending the scam.

Removal of malicious provider

Lilley contended that Ledger’s content delivery network was compromised, leading to the loading of JavaScript from the compromised network.

🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023

The compromised Ledger connector library, widely employed by various dapps and overseen by Ledger, has seen the addition of a wallet drainer. While assets may not be drained automatically from a user’s account, prompts from browser wallets like MetaMask could potentially provide malicious actors access to the assets, according to Lilley’s claims.

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023

The renowned cryptocurrency hardware wallet provider has since taken to X to announce the identification and removal of a malicious version of the Ledger Connect Kit. The company urges users to exercise caution and temporarily abstain from engaging with dapps.

Assuring the community of their proactive stance, Ledger has already initiated the deployment of a genuine replacement for the compromised file. Ledger also emphasizes that the security of user Ledger devices and Ledger Live remains intact, with no compromise detected.

An ongoing target

This is not the first time Ledger has been a target of malicious acts. On Nov. 5, crypto investigator ZachXBT raised an alert on the X platform regarding a fraudulent application named Ledger Live Web3.

This deceptive application mimicked the legitimate Ledger Live app, an official user interface for storing crypto assets offline using hardware wallets, effectively causing users to lose $800,000.

Source: https://crypto.news/ledger-library-flaw-affects-sushiswap-revoke-cash-dapps/