Ledger Software Poisoned, Causing User Asset Crisis!
During the joyful Taipei Blockchain Week, a serious Web3 security vulnerability emerged on the evening of the 15th. Many KOLs and projects urged the community on X to “immediately suspend any interactions with DApps (decentralized applications)” to prevent asset theft.
According to blockchain security company Blockaid, this security incident is related to the well-known hardware wallet Ledger. The reason is that Ledger’s code repository, “ConnectKit,” was compromised by hackers using a “supply chain attack.” In simple terms, the attacker replaced part of the code in the “ConnectKit” code repository with malicious code to steal assets.
However, the impact is not limited to Ledger users, but all wallet users who use the Ethereum Virtual Machine (EVM) may have security issues. The reason is that decentralized applications that use version 1.1.4 or above of Ledger’s “ConnectKit” may be at risk, but it is not yet known which DApps use this code repository.
Ledger’s code repository, “ConnectKit,” was compromised by hackers using a “supply chain attack.”
The safest way currently is to stop interacting with DApps until both Ledger and the DApps have been fixed.
Ledger has fixed the erroneous code! Developers warn: projects still need to update
After the incident, Ledger quickly fixed the issue and issued a statement: “We have removed a malicious version of Ledger Connect Kit and are now pushing a new version to replace it.”
However, Ethereum core developer Hudson Jameson further explained that there is still a risk of using these applications unless one understands the code repositories used behind decentralized applications.
He warned that even though Ledger has fixed the erroneous code, the relevant projects still need to update before using these applications securely.
Matthew Lilley, the CTO of decentralized exchange SushiSwap, harshly criticized Ledger for a series of terrible mistakes. He explained, “A Web3 software library used by many DApps has been tampered with, resulting in malicious code affecting many decentralized applications.”
Frequent Ledger security incidents!
In recent months, Ledger’s security issues have faced criticism. First, Ledger’s identity-based “Recover” service sparked dissatisfaction among cryptocurrency users. The reason is that this service splits and stores user recovery phrases among three different custodians and requires users to provide a passport or national ID as proof of identity.
️Further reading:
Cold wallet Ledger faces backlash over new features! Why aren’t users buying into real-name authentication and the ability to recover cold wallet private keys?
The disgruntled crypto community referred to this service as a “backdoor.” Later, Ledger’s co-founder Éric Larchevêque called the launch of the service a “complete PR failure but emphasized that it was not a technical failure.”
In November of this year, a fake Ledger application on the Microsoft Store caused users to lose nearly $1 million. In 2020, Ledger’s database was hacked, resulting in the leak of over a million users’ emails.
References:
Decrypt, Theblock
Proofread/editing: Gao Jingyuan