On December 14, several decentralized applications (DApps) experienced temporary halts in their front-end user interfaces due to issues with Ledger Connect.
The team behind the non-fungible token (NFT) platform OpenSea advised users against utilizing Ledger Connect to access any DApp until further updates were provided. Similarly, the decentralized finance (DeFi) protocol Lido Finance chose to shut down its frontend temporarily as a precaution while investigating the connectivity problems linked to Ledger.
Earlier in the same day, the front ends of platforms like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash faced compromises due to vulnerabilities associated with Ledger Connect. Ledger acknowledged the situation, stating that they had rectified the vulnerability and identified it as originating from a "malicious version of the Ledger Connect Kit." They reassured users that genuine versions were being disseminated to replace the compromised files, urging users to abstain from interacting with any DApps until further updates were provided.
Reports initially estimated a loss of at least $484,000 in digital assets due to the attack. Tether, the issuer of the stablecoin Tether, took action by freezing the user's address implicated in the incident. Ledger developers announced that authentic copies of the Ledger Connect Kit were currently being distributed automatically. However, users were cautioned to wait for 24 hours before engaging with the kit as an additional precaution.
The breach was linked to a phishing attack on a former employee of Ledger, providing hackers with access to sensitive information. The development team stated their intent to file a complaint and collaborate with law enforcement in the ongoing investigation to apprehend the attackers. The window between funds depletion and implementing a fix was estimated to take around two hours.
