Credit: iStock

Ledger, Yuga Labs & Flooring Protocol Are Reimbursing Hack Victims

BY Lorepunk

December 20, 2023

In response to a vulnerability discovered in Ledger Connect Kit that led to the theft of over $600,000 worth of NFTs and other assets from holders, leading hardware wallet provider Ledger has committed to reimbursing all who were affected—even if they were not using a Ledger hardware wallet.

On Dec. 14, a former Ledger employee clicked a phishing link that enabled a hacker to gain access to that employee’s GitHub account—where he still had access to Ledger’s code. The hacker replaced the code for Ledger’s Connect Kit, a piece of infrastructure that is used in a number of dApps, with a malicious version that re-routed user assets to their own wallet. The malicious code remained live for around five hours, according to Ledger.

“We affirm our CEO & Chairman Pascal Gauthier’s promise to make sure victims who had their assets stolen on Dec 14th, 2023 by the attacker together with angel drainer are made whole, including users who are not Ledger customers,” Ledger’s official account posted on X. “We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February, 2024. We are already in contact with many impacted users and are actively working through the specifics with them,” they wrote.

This follows on from Gauthier’s initial promise made on the day of the hack. “My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets,” he wrote on Dec. 14.

Credit: Ledger

In light of broad concern around the need to tighten security in web3, Ledger also announced that will remove support for “blind signing”—the ability to sign a transaction without having access to information about what that transaction does—from its hardware wallet devices, and are encouraging developers to adopt Clear Signing, which spells out every transaction, as a new standard for dApps. “We are announcing that by June 2024, users will no longer be able to Blind Sign with Ledger devices. Our commitment is to work with the community and dApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across dApps. Front-end attacks have happened many times before and will continue to plague our ecosystem. The only foolproof countermeasure for this type of attack is always to verify what you consent to on your device,” they wrote in their announcement post.

Ledger is not alone in its commitment to offer redress to the victims of hacks. After an exploit in a pair of old NFT Trader contracts led to a hacker stealing dozens of Bored Apes, Bored Ape Yacht Club co-founder Greg Solano offered to pay the 10%-of-floor-price bounty requested by the hacker for the return of each Ape, backed up by Yuga Labs CEO Daniel Alegre—who phrased it a bit differently, offering compensation for the discovery of the exploit once the Apes were returned. After a series of on-chain negotiations, BoringSecDAO took possession of the stolen Apes and Mutants and is in the process of returning them to their owners.

After a Dec. 17 exploit of one of its peripheral contracts—in which hackers high-value NFTs like Apes and Azuki—Flooring, an NFT fractionalization protocol, also pledged to compensate victims from the founder’s personal assets.

Dive Deep

Features & Guides