- Ledger ConnectKit exposes popular dApps to wallet-draining attacks.
- Popular dApps, including SushiSwap and Zapper, were confirmed to be affected.
- Ledger has released a minor update to eliminate the malicious code.
Users of the renowned crypto self-custody solution Ledger have become the latest targets for a well-planned attack targeting their crypto funds. Specifically, an attacker has compromised Ledger ConnectKit, a popular software library that decentralized applications (dApps) use to connect with Ledger hardware wallets.
This vulnerability was disclosed by blockchain security tracking firm Blockaid in a recent tweet. Blockaid characterized it as a supply chain attack as the hacker poisoned the library’s source, affecting applications relying on it.
Specifically, the attacker injected malicious wallet-draining payload code into the library to drain crypto assets stored in Ledger devices connected to dApps using the compromised ConnectKit.
Furthermore, Blockaid highlighted the popular dApps confirmed to be affected by the attack. At the time of reporting, the tentative list of dApps using ConnectKit found to be vulnerable included multi-chain DEX SushiSwap, DeFI and NFT tracker Zapper, MetalSwap, and EchoDex.
On the other hand, Matthew Lilley, the chief technology officer of SushiSwap, stated that all dApps utilizing Ledger ConnectKit are susceptible to the vulnerability. Lilley strongly advised crypto enthusiasts to refrain from using dApps until further notice as it is not an isolated incident. According to him, it constitutes a widespread attack affecting multiple dApps on a large scale.
It is worth emphasizing that this recently detected security threat does not lie with Ledger hardware wallets themselves. Instead, it resides in the adapter that facilitates the connection between websites and the hardware wallet.
Meanwhile, Ledger has promptly released a minor update that eliminates the malicious code. Blockaid urged stakeholders to update their dApps and implement version pinning to ensure security.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
