Earlier today, crypto hardware wallet manufacturer Ledger confirmed that its Connector library was compromised after attackers replaced a genuine version with a malicious file. Following the incident, several decentralized applications (dApps) faced potential exploits, with the attacker managing to siphon more than $500,000 from multiple wallets.
In this report, CryptoSlate brings you a breakdown of the incident, its key events, and the implications.
What happened?
In an extensive post on social media platform X (formerly Twitter), Ledger explained that a former employee was phished, giving the hackers access to this former employee’s NPMJS account, a software registry owned by GitHub.
Subsequently, the hackers released altered versions of the Ledger Connect Kit, which contained malicious code. This code was employed in a deceptive WalletConnect that redirects funds to a wallet controlled by the hacker.
The malicious versions deceive users by displaying fake prompts upon connection to the dApp frontend, prompting inadvertent approval of fake transactions. Clicking on these prompts results in unwittingly signing a transaction that could drain the user’s wallet.
However, the security breach does not directly impact the Ledger wallet or compromise seed phrases. The risk only arises once users connect their wallet to a dApp.
Ledger resolves issue
Ledger swiftly addressed the issue by replacing the malicious Ledger Connect Kit with an authentic version. The hardware wallet manufacturer confirmed the fix and promised a comprehensive report to be released soon. The company said.
“Ledger’s technology and security teams were alerted, and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious file was live for around 5 hours, however we believe the window where funds were drained was limited to a period of less than two hours.”
In addition, users were reminded to Clear Sign their transactions, ensuring coherence between the information displayed on the computer or phone screen and that on the Ledger device. Users have also been advised to avoid using the malicious library cached and clear the cache if it is already being utilized.
In a postmortem letter, Ledger CEO Pascal Gauthier admitted his company’s security practices failed in this “unfortunate isolated incident.” He outlined plans to implement “stronger security controls” while calling for industry-wide adoption of more secure “clear signing” standards that could have potentially prevented the unauthorized transactions.
$610k stolen
Despite the fix and the ensuing concerns that the compromise generated, on-chain sleuth ZachXBT reported that $610,000 was siphoned from various wallets.
The attacker’s wallet has also been tagged on Etherscan as the “Ledger Exploiter,” with a balance exceeding $330,000 as of press time, according to DeBank data.
Paolo Ardoino, Tether CEO, revealed that the stablecoin issuer froze the exploiter’s wallet immediately. “Tether just froze the Ledger exploiter address,” Ardoino said. The wallet contained about $44,000 worth of USDT.
The freeze means the wallet can no longer send USDT to other addresses. However, it can continue to make other transactions.
Can you use your Ledger wallet?
As stated, the security breach does not directly impact the Ledger wallet or compromise seed phrases. This means that Ledger users can continue to use their hardware wallets.
However, they are advised to avoid interacting with decentralized applications until told otherwise by these platforms.
Meanwhile, Ledger told developers that the genuine version of the compromised Connect Kit has been automatically propagated. “We recommend waiting 24 hours until using the Ledger Connect Kit again,” the company added.
Source: https://cryptoslate.com/understanding-the-ledger-library-exploit/