Ledger Library Exploit Exposes Millions to Asset Risks

14. Dec 2023 Posted by Guest on News

Today, a severe security vulnerability in web3 has surfaced, impacting multiple decentralized applications (dapps). The issue stems from a critical flaw in the "LedgerHQ" library, a software component integral to various dapps utilizing the services of crypto hardware wallet provider Ledger. This vulnerability raises alarming concerns as it opens the door for potential injection of malicious code into the front-ends of numerous dapps, posing a substantial threat to users and their assets.

As a precautionary measure, several projects, including Kyber and RevokeCash, have taken swift action to disable their front-ends in response to the identified vulnerability.

Reports indicate that the library code was surreptitiously replaced with malicious software crafted by hackers, strategically designed to siphon off users' assets. Security firm Blockaid categorizes this incident as a "supply chain attack" specifically targeting Ledger Connect Kit, estimating a loss of approximately $150,000 within a short timeframe.

The origin of the issue is suspected to be linked to a compromise of a specific content delivery network (CDN) hosting the LedgerHQ software library. Matthew Lilly, Chief Technology Officer at Sushi, stated, “LedgerHQ/connect-kit loads JS [JavaScript] from a CDN, their CDN account has been compromised, which is injecting malicious JS into multiple dApps.” Lilly emphasizes that any dApp relying on LedgerHQ/connect-kit is potentially vulnerable.

In response, a software patch has been swiftly developed and finalized as an update. However, the onus is on dapp developers to promptly adopt this patch to ensure the safety of their users. Ledger issued a statement assuring users that they have identified and removed the malicious version of the Ledger Connect Kit, replacing it with an authentic version.

As a precautionary measure, industry experts, including Matthew Lilly, advise users to refrain from interacting with any dapps until further notice, emphasizing the need for heightened vigilance amid the ongoing security concerns.