On December 14, multiple decentralized applications (DApps) using the Ledger connector encountered front-end compromises, including platforms like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. Approximately three hours after the discovery of the security flaw, Ledger reported that the malicious file version had been replaced by a legitimate version at around 1:35 PM UTC.
Ledger issued a cautionary advisory, urging users to "always clear signed" transactions. It emphasized that the information displayed on Ledger's screens should be treated as the authentic data, advising users to halt transactions if they notice any discrepancies between their Ledger device and their computer or phone screens.
SushiSwap's CTO, Matthew Lilley, was among the first to bring attention to the issue. He pointed out that a commonly used Web3 connector had been compromised, allowing the injection of malicious code into numerous DApps. Lilley attributed the ongoing vulnerabilities and compromises on multiple DApps to Ledger, alleging that Ledger's content delivery network had been breached, resulting in the loading of compromised JavaScript.
The Ledger Connector, a library maintained by Ledger and utilized by numerous DApps, underwent an adjustment to include a wallet depletion procedure, preventing users' accounts from being depleted of assets autonomously. However, this adjustment might prompt browser wallets like MetaMask to display notifications that could potentially grant access to malicious actors seeking access to the assets.
Lilley cautioned users against engaging with any DApp utilizing the Ledger connector. He emphasized that the "connect-kit" was also vulnerable, stressing that this was not an isolated attack but rather a large-scale assault on multiple DApps. Hudson Jameson, the vice president of Polygon Labs, remarked that even after Ledger rectifies the faulty code within its library, projects utilizing the library will need to update their systems before they can safely use DApps from the Ledger Web3 library.
Acknowledging the vulnerability in its code, Ledger assured that it had removed the malicious version of the Ledger Connect Kit. The company stated that legitimate versions were being pushed out to replace the compromised files. Ledger also indicated that users were not at risk unless they initiated transactions and advised against interacting with Revoke.cash due to particular susceptibility, cautioning users about the potential risk to funds. Numerous affected sites continued to be impacted, affecting users and funds worth hundreds of thousands of dollars over the past two hours.
