Security issue in Ledger ConnectKit library affects multiple decentralized applications
Quick Take A significant security vulnerability has been reported by several decentralized applications. The issue stems from a compromised software library connected to Ledger.
A critical web3 security vulnerability emerged today, reportedly affecting several decentralized applications. The issue is related to a software library from the crypto hardware wallet provider Ledger, the “LedgerHQ” library, that dapps rely on for use with the crypto wallet service. This vulnerability could potentially allow malicious code to be injected into numerous dapps on their front-ends — posing a significant risk to users and their assets.
Consequently, front ends to dapps such as SushiSwap, Kyber, RevokeCash and Zapper could be vulnerable if used. Both Kyber and RevokeCash confirmed on X that they disabled their front-ends.
According to reports, the library code was replaced with malicious software created by hackers and designed to drain assets.
Security firm Blockaid described it as a "supply chain attack" on Ledger Connect Kit and claimed that $150,000 had been lost in the past couple of hours.
The issue likely emerged due to a specific Content Delivery Network used to host the software library being affected, according to Sushi’s chief technology officer Mathew Lilly. “LedgerHQ/connect-kit loads JavaScript from a CDN. Their CDN account has been compromised, which is injecting malicious JavaScript into multiple dApps,” Lilly said.
A potentially software patch was finalized in an update and may need to be adopted by dapps before conditions are safe.
Meanwhile, Lilly and others have warned users to avoid interacting with any dapps until further notice.
Ledger did not immediately respond to a request for comment.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Wormhole has integrated Circle’s cross-chain transfer protocol on Sui
AR breaks through $20
MagicBlock open sources a16z-backed ‘ephemeral rollup’ tech
MagicBlock went through a16z’s crypto startup accelerator and began advertising its tech earlier this year