In the recent week of December 14th, the decentralized finance (DeFi) sector encountered a sequence of unforeseen events, mainly due to malicious actors exploiting vulnerabilities in the Ledger hardware wallet connector library. This exploitation has raised concerns as it poses risks to the entire decentralized application (DApp) ecosystem. Consequently, on-chain analysts and various DApps like SushiSwap and MetaMask strongly advised users to avoid interactions with wallets altogether.
Despite Ledger's quick release of a patch to contain the vulnerability, the exploiter managed to abscond with over $650,000 from multiple victims. However, this sum, albeit substantial, was relatively lower considering the scale of wallets and DApps that faced potential jeopardy. The "Ledger hacker" executed at least $484,000 worth of theft from numerous Web3 applications on December 14, as reported by the team behind blockchain security platform Cyvers. This was accomplished by misleading Web3 users into granting approvals for malicious tokens.
The breach transpired on the morning of December 14 due to an attacker exploiting a phishing vulnerability, compromising a former Ledger employee's computer and obtaining access to the employee's node package manager JavaScript account. Several front ends of various decentralized applications (DApps) utilizing the Ledger connector were compromised during the event, including platforms like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. Approximately three hours post the security flaw's discovery, Ledger confirmed the replacement of the file with a legitimate version around 1:35 PM UTC.
Ledger promptly cautioned users to "always clear signed" transactions and emphasized that the information displayed on Ledger's screens holds precedence as the authentic details. Users were advised to halt transactions if discrepancies emerged between the Ledger device screen and the computer/phone screen. Meanwhile, in a separate incident, Yearn.finance experienced a significant loss of $1.4 million due to an error in a multi-signature script, which resulted in a considerable portion of the protocol's funds being drained.
