Multiple DApps using the Ledger connector library compromised

The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Balancer and Revoke.cash, was compromised on Dec. 14. 

SushiSwap chief technical officer Mathew Lilley reported that a commonly used Web3 connector has been compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.

RED ALERT :

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

— I’m Software (@MatthewLilley) December 14, 2023

SushiSwap CTO blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The CTO claimed that  Ledger’s content delivery system (CDN) was compromised followed by a a chain of terrible blunders – where they first loaded java script from a compromised CDN while not version-locking loaded JS.

Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so the draining from a user’s account might not happen on its own. However, prompts from a browser wallet (like MM) will display and could give malicious actors access to the assets.

DAppsOn-chain analysts warned users to avoid any DApps using the Ledger connector, adding that the connect-kit-loader is also vulnerable. Any DApp which makes use of LedgerHQ/connect-kit is vulnerable. On-chain analysts added that this isn’t a single isolated attack, rather a large-scale attack on multiple dApps.

seems like the Ledger’s @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023

Polygon Labs vice president Hudson Jameson said even after Ledger corrects the bad code in their library, projects using and deploying that library will need to update things before it is safe to use DApps that use Ledger’s Web3 libraries.

Ledger acknowledged the vulnerability in its code and said that they have removed a malicious version of the Ledger Connect Kit. At the same time, a genuine version is being pushed to replace the malicious file now. 

We have identified and removed a malicious version of the Ledger Connect Kit.

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and…

— Ledger (@Ledger) December 14, 2023

This is a developing story, and further information will be added as it becomes available.