Multiple DApps using the Ledger connector library compromised

3



The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Balancer and Revoke.cash, were compromised on Dec. 14.

SushiSwap chief technical officer Mathew Lilley reported that a commonly used Web3 connector has been compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.

Lilley blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The exec claimed that Ledger’s content delivery system was compromised, followed by a chain of terrible blunders where it first loaded JavaScript from a compromised CDN while not version-locking loaded JS.

Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so the draining from a user’s account might not happen on its own. However, prompts from a browser wallet like MetaMask will display and could give malicious actors access to the assets.

Lilley warned users to avoid any DApps using the Ledger connector, adding that the “connect-kit” is also vulnerable, and this isn’t a single isolated attack but a large-scale attack on multiple DApps.

Polygon Labs vice president Hudson Jameson said even after Ledger corrects the bad code in its library, projects using and deploying the library will need to update before it is safe to use DApps using Ledger’s Web3 libraries.

Ido Ben-Natan, co-founder and CEO of Blockaid, told Cointelegraph:

“Ledger users are not at risk if not transacting. It is not exploitable on prior approvals. Revoke.cash specifically is affected, so don’t interact with it. the number of impacted funds is hundreds of thousands of dollars over the past two hours. Many websites are still affected, and users are getting hit.”

Related: KyberSwap hacker demands complete control over Kyber company

Ledger acknowledged the vulnerability in its code and said it has “removed a malicious version of the Ledger Connect Kit,” adding that “a genuine version is being pushed to replace the malicious file now.“

Magazine: HTX hacked again for $30M, 100K Koreans test CBDC, Binance 2.0: Asia Express