Crypto Wallet Security Breach: Ledger ConnectKit Compromised in Widespread Attack Affecting Multiple dApps
Crypto News – Ledger, a leading name in the self-custody crypto sector, has fallen prey to a sophisticated cyberattack targeting its users’ digital assets. In a concerning development, the ConnectKit, a widely-used software interface that connects decentralized applications (dApps) to Ledger’s hardware wallets, has been compromised.
This alarming security breach was brought to light by Blockaid, a blockchain security monitoring company, through a recent tweet. The firm described the incident as a supply chain attack, where the attacker tainted the library’s source code, thereby impacting any applications dependent on it.
The core of the attack involved the introduction of a malignant code designed to siphon off cryptocurrency assets from Ledger wallets interfacing with affected dApps through the tainted ConnectKit.
Blockaid has also identified several high-profile dApps that have been impacted by this breach. The preliminary list includes major players like the multi-chain decentralized exchange SushiSwap, the DeFI and NFT tracking service Zapper, along with MetalSwap and EchoDex.
Meanwhile, Matthew Lilley, CTO of SushiSwap, has warned that the vulnerability extends to all dApps integrating Ledger’s ConnectKit. He advises crypto users to avoid using these dApps for the time being, emphasizing that this is not an isolated event but rather a large-scale attack impacting numerous dApps.
It is crucial to note that the vulnerability does not stem from the Ledger hardware wallets themselves but rather from the compromised software facilitating their connection to websites.
In response to this crisis, Ledger has swiftly issued an update to remove the malicious code. Blockaid is now calling on all stakeholders to update their dApps and employ version pinning as a security measure to prevent similar incidents in the future.
Leave a comment