Ledger dApps compromised and replaced with a drainer, SushiSwap CTO cites content delivery system blunders
dApps #dApps
Share:
New findings from the Ledger dApps attack show that the exploiter may have left their email address behind.
Also, blockchain detective Lookonchain reports that the attacker made away with just about $484,000 worth of assets, and that they moved 4.334 ETH to the drainer address.
Tether CTO Paolo Ardoino says “Tether just froze the Ledger exploiter address,” while Crypto Banter’s Ran Neuner urges users to shun interacting “with DeFi at all today! [as] No app is safe regardless of whether you use a Ledger.”
The following section was published shortly after the attack
Ledger is the latest victim of a hacking incident after multiple decentralized applications (dApps) on its connector library were hacked. The exploiter inserted a wallet drainer account address through the vulnerable code. Among the affected dApps were SushiSwap, Revoke.cash, Zapper and Balancer.
Ledger has confirmed the vulnerability in its code, confirming having truncated a malicious version of the Ledger Connect Kit, with efforts to put a genuine version already underway.
According to DAppsOn-chain analysts, the connect-kit-loader as well as every other dApp that uses LedgerHQ/connect-kit, is vulnerable and should not be used, acknowledging that this is a large-scale attack on multiple dApps.
SushiSwap’s Chief Technical Officer, Mathew Lilley, explained that the attack allowed the injection of malicious code. Nevertheless, Sushi has confirmed working to remove the ledger wallet connector but asks users to “refrain from engaging with any dApps until further notice.”
Besides the bold assertion, Lilley blames Ledger for the attack, citing multiple blunders after Ledger’s content delivery system (CDN) was compromised. According to the CTO, Ledger first loaded java script from a compromised CDN before version-locking loaded java script.
With the addition of a drainer address, funds may not leave the user’s account unless they react to prompts from a browser wallet. This could give the exploiter access to the user’s account. Users are therefore urged not to interact with untrusted prompts until the situation is resolved.
According to Polygon Labs Vice President, Hudson Jameson, the intervention by Ledger to remove the malicious version of the Ledger Connect Kit is not enough, adding that projects that use that library should update things on their own end prior to using dApps that leverage Ledger’s Web3 libraries.
Ledger did not immediately respond to FXStreet team’s request for comment.