Ledger, the French flagship of crypto hardware wallets, is in turmoil. A worrying flaw was discovered in the code of its system for connecting to decentralized finance (DeFi), posing serious security challenges for the company and its users.
Back to the hack
Ledger's Connect Kit, used to integrate decentralized applications (dapps) with Ledger products, was the target of a hacking attack. The incident was initially reported by Matthew Lilley, CTO of Sushi, who warned users of the compromise of the wallet connector. This flaw allowed the injection of malicious code affecting many dapps. The attack triggered a pop-up window inviting users to connect their wallet, activating a token diversion mechanism.
RED ALERT:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I'm Software (@MatthewLilley) December 14, 2023
The security flaw in Ledger's Connect Kit affected key DeFi protocols such as Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, with potential implications for other similar systems. According to Lookonchain, a blockchain analysis platform, the hacker behind the attack stole at least 4.334 Ether (ETH), equivalent to nearly $484,000.
A hacker attacked #Ledger and has stolen ~$484K assets.#LedgerExploiter transferred 4.334 $ETH to #AngelDrainer.
And the #AngelDrainer is also receiving assets currently and holds $363K assets.https://t.co/ZG5SRlKBjW pic.twitter.com/RK9aPyAjEE
— Lookonchain (@lookonchain) December 14, 2023
In the wake of this security breach, MetaMask, a competitor of the French unicorn, was also affected. Aware of the urgency, MetaMask quickly reacted by implementing a critical update for its platform. Its technicians assured that users equipped with the latest version, v2.121.0, should be able to resume their transactions safely, the update being done automatically.
Ledger did not delay in reacting
Two hours after the discovery of the security flaw, Ledger quickly acted by replacing the compromised version of its connector with a secure update. At the same time, the company alerted its users to the importance of verifying the information displayed during transactions. They insisted that the reliable data is the one that appears on the screen of the Ledger device. The company also advised users to be vigilant and stop any transaction if the information displayed on their key differs from that on other screens.
More fear than harm: Tether, through its leader Paolo Ardoino, announced that it had frozen the exploiter's address.
Tether just froze the Ledger exploiter address
— Paolo Ardoino (@paoloardoino) December 14, 2023
Moral of the story: Even the strongest oak bends under the wind.