TL;DR
- Ledger, a leading hardware wallet provider, faces a security breach in the Ledger ConnectKit library.
- The supply chain attack stems from a compromised software library linked to Ledger. It has raised significant concerns over digital asset security.
Initial Discovery on Ledger ConnectKit Exploit
In another alarming development, the decentralized finance (DeFi) space faces a rug-pull security breach.
Unknown malicious agents fostered a supply chain attack on the Ledger—a popular hardware wallet provider, aiming to exploit the Ledger ConnectKit.
Taking to X on December 14, 2023, Blockaid posted the news intending to protect web3 users.
The platform said the attackers injected a “wallet-draining payload” into the NPM package. In addition, they successfully made away with hundreds of thousands of dollars worth of assets.
The supply chain attack wasn’t targeting any specific dApp or blockchain. However, all protocols whose users, in some ways, were using the LedgerConnect kit to transfer and manage assets were affected.
It compromised the connector—a crucial component in how off-chain Ledger wallet users securely manage and connect their assets online.
Ledger Attack Damages Trust In Decentralized Application
The security breach poses severe risks to users and their assets. It has potentially paved the way for malicious code injection to multiple dApps.
Decentralized applications (dApps) protocols that have been compromised by the attack, as mentioned by Blockaid, include SushiSwap, Kyber, Zapper, and RevokeCash.
Reacting swiftly to this breach, RevokeCash and Kyber have turned off their front ends. This came shortly after KyberSwap lost $46M in a DeFi heist, sparking a major security crisis.
Ledger has lost approximately $150,000 in just a few hours, emphasizing the significant impact of the breach. Blockaid assures its users (Blockaid-enabled wallets) that they’re secure from this supply chain attack.
However, the broader impact of this breach can cause substantial risks to the broader Web3 ecosystem.
Mathew Lilley says the attack traces back to using a unique Content Delivery Network (CDN) to host the Ledger ConnectKit software library.
LedgerHQ/connect-kit loads JS from a CDN; their CDN account has been compromised, injecting malicious JS into multiple dApps.
Mathew Lilley, the Chief Technology Officer of Sushi, explained.
Ledger’s Crisis Response on the Supply Chain Attack
Responding to the attack, Ledger announced that it acknowledges the compromise. It assures users that an authentic version of the Ledger ConnectKit is in the works to replace the malicious file.
In addition, a software patch is being developed to address security breaches. It also advised users to take precautionary measures by avoiding interacting with dApps connected with Ledger ConnectKit.
On the contrary, Lookonchain, a blockchain analytics platform, says over $480,000 of assets were stolen before Ledger corrected the error.
The incident serves as a reminder of the vulnerabilities prevalent in the digital sphere, especially dependencies on third-party integrations.
It highlights the importance of continuous security audits, swift responses, and proactive measures to emerging threats.
It’s the best way to safeguard the integrity of decentralized financial systems. The crypto community is on high alert, closely monitoring the developments as they evolve.
Will the Ledger reinforce tighter security measures to prevent future exploits?