LUCKNOW (CoinChapter.com) — In a major security breach, hackers attacked Ledger’s connector library today. Numerous decentralized applications (dApps) that rely on Ledger’s technology to interface with the blockchain got compromised. The hack has put Ledger wallet users at significant theft risk and highlights severe vulnerabilities in Ledger’s systems.
Earlier today, multiple dApps such as SushiSwap, Balancer, Zapper, and Revoke.cash faced breaching. Hackers secretly replaced Ledger’s connector library with a corrupted, malicious version. This enabled hackers to hijack transactions and drain user funds. Nearly three hours elapsed before Ledger noticed the compromise and replaced the fraudulent library file with a legitimate version around 1:35 pm UTC.
Ledger Hacked! Do Not Interact With Dapps
Ledger is warning users to diligently “Clear Sign” any transactions to prevent potential theft from the breach. The company cautions that users must trust only the addresses and information physically shown on the Ledger device screens.
“If there’s a difference between the screen on your Ledger and your computer/phone, stop that transaction immediately,” Ledger urged.
Users should closely scrutinize all transaction prompts and wallet activity to check for unauthorized withdrawals from the widespread hack.
“Do not interact with ANY dApps until further notice,” warned SushiSwap CTO Matthew Lilley, one of the first to raise the alarm about the hack. “It appears that a commonly used web3 connector has been compromised, which allows for injection of malicious code affecting numerous dApps.”
Furthermore, Lilley blamed Ledger for the extensive vulnerabilities that enabled hackers to breach multiple dApps. Lilley stated that the compromised core content delivery network (CDN) of Ledger allowed attackers to replace legitimate JavaScript files with corrupted ones secretly.
Severe Security Lapses Allow Hackers to Penetrate Ledger
At the core of the hack is Ledger’s connector library, used by numerous dApps to interface with Ledger’s hardware wallets. Hackers covertly injected malicious “wallet-draining” code into the library. This enabled them to drain assets from user accounts behind the scenes stealthily. While funds might not disappear independently, the added code could generate fake transaction prompts via browser wallets like MetaMask, misleading users into approving thefts.
“Avoid any dApp utilizing Ledger’s connector or connect-kit libraries,” urgently warned Lilley.
According to Polygon Labs VP Hudson Jameson, fixing the corrupted code in Ledger’s libraries will not be enough. Jameson explained that every project currently utilizing or integrating with Ledger’s Web3 connector libraries must implement updates before they are safe for users again individually.
Ledger has acknowledged the hack and claims to have replaced the malicious library file with a clean version.
However, the firm has provided no transparency into the attack vector yet.
