Credit: Style Photography/iStock
News

Major Ledger Connect-Kit Exploit Compromises Multiple DApps

BY Lorepunk

December 14, 2023

Web3 security researchers advised using extreme caution this morning, as dApps including Sushi Swap and revoke.cash report exposure to a vulnerability in Ledger’s connect-kit, a tool that is used in dApps across web3.

The advice to users? Don’t do anything—even revoking allowances.

In a post on X, researcher ZachXBT said that over $600,000 has been drained so far. 

Despite the name of the tool, even users who do not use a Ledger are at risk of losing control of their assets if they connect to a dApp this morning, as the connector is a basic part of how these apps connect to your wallet. A number of developers, including revoke, have taken their products offline while the vulnerability is investigated.

According to a post web3 educator Zeneca made in his Discord, the exploit has only been deployed today and is not retroactive, so previous connections and allowances that you have made with your wallets do not put your assets at risk.

“From what I am gathering, this is not retroactive, so you are not exposed to previous actions — only new interactions with dApps. Don’t use revoke.cash to revoke permissions, since that is a dApp and connecting to it could open you up to the exploit. Don’t do anything on-chain imo until we get more information (or unless you’re technical enough to ignore my layman’s advice),” Zeneca wrote this morning.

Researchers believe that the malicious code, which looks like an ordinary wallet connection option when you try to connect to a dApp, was deployed around five hours ago.

Because the exploited ledger connect-kit updates with the malicious code automatically, any sites that use products like WalletConnect could potentially be affected.

In a departure from what is generally advised in the event of a widespread hack, web3 users should not do anything whatsoever involving connecting their wallet to a dApp—including revoking signatures and allowances.

“A really serious issue is currently unfolding across most hosted crypto frontends. There is a supply attack on a popular connector, the @Ledger connect-kit. It has been infected with a drainer, which you can confirm by deobfuscating the code. Be extra vigilant,” wrote developer Lefteris Karapetsas in a post on X.

“What to do as a user? Do not use any dapps that have been compromised by using the ledger-connect-kit. It’s not Ledger, the hardware-wallet, specific. I guess if you can’t check it for yourself, do not interact and ask around, ask the devs if the given dapp is safe. The issue is really serious. Better safe than sorry,” he wrote.

As of 8:30 a.m. EST, Ledger has announced that they have identified a malicious version of the Ledger Connect Kit and are deploying a genuine version now. “We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised,” they wrote on X.

At 9 a.m., Ledger posted a further update. “The malicious version of the file was replaced with the genuine version at around 2:35pm CET. The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready,” they wrote.

Mudit Gupta, Chief Information Security Officer at Polygon, advised on X that users should wait to hear from developers that the fix is properly installed in any dApp they wish to use.

Dive Deep

Features & Guides