Dapps Compromised After Ledger Connector Hack
dApps #dApps
Dapps Compromised After Ledger Connector Hack
DeFi platforms SushiSwap, Zapper, and Revoke.cash were compromised today after a suspected “supply chain attack” on hardware wallet company Ledger. The hack allowed hackers to insert code into Ledger’s ConnectKit library. This code enabled them to display fake wallet connection prompts aimed at draining users’ funds.
SushiSwap was one of the first platforms to spot the attack. According to a tweet by SushiSwap CTO Matthew Lilley, a commonly used Web3 connector utilized by many DeFi platforms had been compromised. This enabled attackers to inject malicious code affecting numerous applications.
In an official statement, SushiSwap warned users to avoid any unexpected “Connect Wallet” pop-ups:
The attack works by tricking users into approving fake transactions that drain funds from their crypto wallets. While the malicious code cannot directly access users’ Ledger devices or seed phrases, it can display fake prompts aimed at convincing users to sign off on fraudulent transactions.
Both SushiSwap and Revoke.cash have taken their front-end platforms offline to protect users while investigations into the hack continue. Zapper also appears to have been affected.
While funds held on hardware wallets like Ledger devices remain secure, users could unknowingly approve transactions that result in theft if they connect to compromised DApps.
Ledger has now released an official statement on its X account:
This is a developing story and will be updated.