On December 14, due to a compromise of the Ledger Connect Kit library, which allows users to connect to websites using a hardware wallet, many dApps faced the wallet connection window being replaced with a phishing one. As a result, users lost an estimated $600,000. On December 20, Ledger announced on its X that it will reimburse funds to victims until the end of February 2024 and notified about upcoming security improvements.
What is Ledger
Ledger is a manufacturer of hardware wallets for storing cryptocurrencies. The company currently sells three models: the Ledger Nano S Plus, the Ledger Nano X, and the Ledger Stax.
Read more about Ledger wallets and other ways to store cryptocurrency in our guide: How to store crypto.
All Ledger devices store cryptocurrencies securely without constant internet connection. But they also can be connected to computers or laptops with access to the internet for users to manage their funds, connect to dApps, and participate in DeFi.
How the connection of Ledger wallet to dApps’ is designed
In order for a particular dApps’ website to allow Ledger wallet connectivity, that dApp must first add Ledger to the list of wallets. For better understanding, this is what the Revoke.cash service that allows users to revoke approvals from smart contracts interface looks like when you connect a wallet to it. To connect a Ledger wallet, a user should press the “WalletConnect” button.
Wallet developers create their own libraries of ready-to-use codes, which make it easy for dApps developers to integrate the ability to connect that specific wallet on a website. At the same time, these libraries are dynamic, i.e., the authors can change their content, and it will change for all services that use it. This is what the attacker took advantage of.
Why Ledger Connect Kit exploit happened
On December 14, an attacker managed to inject malicious code into a Ledger library called "Ledger Connect Kit". Thus, they managed to spoof the wallet connection interface on all dApps that allow logging in with Ledger. Here is a screenshot of how the interface has changed.
As you can see, on top of the original one, a phishing window has been added, offering to connect using a wallet. After the user connected using any of the methods and made a transaction from their address, those funds were transferred to the attacker. Thus, not only Ledger wallet users were affected, but everyone who connected any wallet through such a phishing window and made transactions.
The Chief Technology Officer of DEX SushiSwap was one of the first to point out the exploit. According to the report from Ledger, a former employee of the company had access to some data by mistake. The attacker took advantage of this and gained access to that data by tricking them through phishing.
How Ledger Connect Kit library issue affected multiple dApps
Ledger can be used to connect to almost all major dApps' websites, so this exploit paralysed many of them, including SushiSwap, Lido, and OpenSea . Services did different things: some waited for Ledger to update its library to remove the malicious code, others temporarily disabled Ledger connectivity on their sites.
By the evening of December 14, when the exploit happened, Ledger developers had updated the library and removed the malicious code from it. Thus, it took about five hours from its compromise to the problem's resolution. The estimated loss is $600,000.
Ledger promises to reimburse Connect Kit exploit victims and a focus on security
On December 20, Ledger reached out to users on X. Here are the three main points:
1️⃣ The company will compensate all those affected by the vulnerability for their losses. The total compensation will be $600,000, and the deadline is by the end of February 2024;
2️⃣ By June 2024, the "Blind Sign" feature will be unavailable to users of Ledger devices. The company will switch to "Clear Sign", meaning it will show users the details and implications of a transaction before it occurs;
3️⃣ Ledger further clarified that this vulnerability did not affect the devices or compromise private wallet keys, as it is related to library code and has nothing to do with gadgets.
This is not the first time a theft of funds has occurred with the Ledger brand. For example, in November, users lost $768,000 due to a fake Ledger app in the Microsoft Store.
DeFi and Web3 have many risks and possible vulnerabilities. Here is our friendly reminder: always keep an eye on the socials of the services you use, and in similar cases, do not use any dApps until the situation is resolved. Also, read our article Crypto scam: how to protect yourself.
👀 You might also like:
Ledger Recover feature comes by the end of 2023
