Ledger’s Connector Library Addresses Security Breach Across Major DApps

In a recent turn of events, several decentralized applications (DApps) utilizing Ledger’s connector library faced security compromises, impacting platforms such as SushiSwap and Revoke.cash. Ledger has since addressed the issue and claims to have rectified the vulnerability.

On December 14, the front ends of various DApps, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, experienced compromise due to vulnerabilities in Ledger’s connector library. Ledger swiftly responded to the security breach, announcing that the malicious version of the file was replaced with the authentic version at approximately 1:35 pm UTC, three hours after the breach was detected.

Ledger is advising users to exercise caution by always “Clear Signing” transactions. Users are reminded that the information displayed on the Ledger device screen and the associated addresses are the only authentic details. If any disparities are noted between the Ledger screen and the computer/phone screen, users are urged to halt the transaction immediately.

The chief technical officer of SushiSwap, Matthew Lilley, was among the first to report the issue. He highlighted that a commonly used Web3 connector was compromised, allowing the injection of malicious code into multiple DApps. Lilley attributed the ongoing vulnerability to Ledger, asserting that Ledger’s content delivery network was compromised, leading to the loading of JavaScript from the compromised network.

The Ledger connector, a library widely used by DApps and maintained by Ledger, now includes a wallet drainer as a preventive measure against unauthorized asset draining. However, users are cautioned that prompts from browser wallets like MetaMask could potentially grant malicious actors access to assets.

Lilley issued a warning for users to steer clear of DApps employing the Ledger connector, emphasizing that the “connect-kit” is also vulnerable. He stressed that this is not an isolated incident but a large-scale attack affecting multiple DApps.

Hudson Jameson, Vice President of Polygon Labs, highlighted that even after Ledger rectifies the compromised code, projects utilizing and deploying the library must update before it is safe to use DApps integrated with Ledger’s Web3 libraries.

Acknowledging the vulnerability, Ledger confirmed the removal of the malicious version of the Ledger Connect Kit and assured users that a genuine version is being pushed to replace the compromised file. Vigilance and prompt updates are recommended to ensure the security of DApps using Ledger’s Web3 libraries.