Ledger hacked library hits multiple decentralized applications

Estimated read time 3 min read

In the ever-evolving landscape of Web3, a critical security breach has unfurled its ominous presence in form of a Ledger hacked library. Several decentralized applications (dApps) found themselves ensnared in the clutches of a vulnerability that traced back to a crucial software library provided by this hardware wallet giant.

Decentralized Applications at Risk

The heart of the matter lay in the reliance of dApps on Ledger’s software library. This symbiotic relationship turned sinister as the breach allowed malevolent code to infiltrate the front-ends of multiple dApps.

Ledger Hacked Library Puts User Assets at Risk

This nefarious injection of code carried grave implications. Users navigating through the front ends of these compromised dApps faced an imminent risk to their assets. A looming threat cast its shadow over the Web3 ecosystem.

Kyber and RevokeCash Respond

In a swift response to the impending danger, projects like Kyber and RevokeCash took decisive action. Confirmation surfaced on various platforms, including X, that these projects opted to disable their front-ends, acting as a safeguard against potential exploitation.

Supply Chain Attack Unveiled

Security firm Blockaid dissected the incident, categorizing it as a “supply chain attack” on Ledger ConnectKit. This intricate assault witnessed the malefactor replacing the library software with malicious code, orchestrating a systematic drainage of assets.

Compromised CDN: Gateway to Chaos

Insights from Sushi’s chief technology officer, Matthew Lilley, hinted at the gateway to chaos. Allegedly, a compromise within a specific content delivery network (CDN) hosting the software library triggered the ordeal. Lilley revealed that LedgerHQ/connect-kit-loaded JavaScript from the compromised CDN infiltrated multiple dApps with malicious intent.

Estimated Losses: A Financial Toll

Blockaid’s estimations painted a grim financial picture. The initial hours of the breach saw losses tallying up to $150,000, a figure that escalated dramatically. The stolen funds surged past the half-million-dollar mark, underscoring the magnitude of the security compromise.

Ledger’s Response: A Race Against Threats

Amidst the chaos, Ledger initiated damage control. A software patch, embedded within an update, emerged as a critical line of defense. However, the adoption of this patch rested in the hands of dapp developers, heightening the urgency for a swift response.

MetaMask’s Call to Vigilance

The echoes of caution reverberated across the Web3 spectrum. MetaMask, a widely embraced web3 wallet app, issued a stark warning. Users, regardless of their reliance on Ledger, were urged to cease interactions with any dapps until further notice.

Hacking Spree

Recently, it was discovered that the Uranium Finance exploiter used Magic cards to cash-out part of its bounty. Inferno Drainer closing shop looked like walking in the right direction, but this is an unexpected plot twist right before the end of the year.

Adopting Fixes: A Collective Endeavor

As Ledger and MetaMask raced against time to implement remedies, the broader Web3 community stood at a crossroads. A collective endeavor to adopt fixes and fortify defenses became the rallying call. The narrative of the Web3 security breach unfolded as a testament to the fragility and resilience entwined within the digital fabric of decentralized ecosystems.