Jump to
Main Blog Hype Ledger to return $600,000 to victims of Connect Kit exploit

Ledger to return $600,000 to victims of Connect Kit exploit

Pic 1

On December 14, due to a compromise of the Ledger Connect Kit library, which allows users to connect to websites using a hardware wallet, many dApps faced the wallet connection window being replaced with a phishing one. As a result, users lost an estimated $600,000. On December 20, Ledger announced on its X that it will reimburse funds to victims until the end of February 2024 and notified about upcoming security improvements.
 

What is Ledger

Ledger is a manufacturer of hardware wallets for storing cryptocurrencies. The company currently sells three models: the Ledger Nano S Plus, the Ledger Nano X, and the Ledger Stax.

Read more about Ledger wallets and other ways to store cryptocurrency in our guide: How to store crypto.

All Ledger devices store cryptocurrencies securely without constant internet connection. But they also can be connected to computers or laptops with access to the internet for users to manage their funds, connect to dApps, and participate in DeFi.
 

How the connection of Ledger wallet to dApps’ is designed

In order for a particular dApps’ website to allow Ledger wallet connectivity, that dApp must first add Ledger to the list of wallets. For better understanding, this is what the Revoke.cash service that allows users to revoke approvals from smart contracts interface looks like when you connect a wallet to it. To connect a Ledger wallet, a user should press the “WalletConnect” button.

Pic 2

Wallet developers create their own libraries of ready-to-use codes, which make it easy for dApps developers to integrate the ability to connect that specific wallet on a website. At the same time, these libraries are dynamic, i.e., the authors can change their content, and it will change for all services that use it. This is what the attacker took advantage of.
 

Why Ledger Connect Kit exploit happened

On December 14, an attacker managed to inject malicious code into a Ledger library called "Ledger Connect Kit". Thus, they managed to spoof the wallet connection interface on all dApps that allow logging in with Ledger. Here is a screenshot of how the interface has changed.

Pic 3

As you can see, on top of the original one, a phishing window has been added, offering to connect using a wallet. After the user connected using any of the methods and made a transaction from their address, those funds were transferred to the attacker. Thus, not only Ledger wallet users were affected, but everyone who connected any wallet through such a phishing window and made transactions.

The Chief Technology Officer of DEX SushiSwap was one of the first to point out the exploit. According to the report from Ledger, a former employee of the company had access to some data by mistake. The attacker took advantage of this and gained access to that data by tricking them through phishing. 
 

How Ledger Connect Kit library issue affected multiple dApps

Ledger can be used to connect to almost all major dApps' websites, so this exploit paralysed many of them, including SushiSwap, Lido, and OpenSea . Services did different things: some waited for Ledger to update its library to remove the malicious code, others temporarily disabled Ledger connectivity on their sites.

By the evening of December 14, when the exploit happened, Ledger developers had updated the library and removed the malicious code from it. Thus, it took about five hours from its compromise to the problem's resolution. The estimated loss is $600,000.
 

Ledger promises to reimburse Connect Kit exploit victims and a focus on security

On December 20, Ledger reached out to users on X. Here are the three main points:

1️⃣ The company will compensate all those affected by the vulnerability for their losses. The total compensation will be $600,000, and the deadline is by the end of February 2024;

2️⃣ By June 2024, the "Blind Sign" feature will be unavailable to users of Ledger devices. The company will switch to "Clear Sign", meaning it will show users the details and implications of a transaction before it occurs;

3️⃣ Ledger further clarified that this vulnerability did not affect the devices or compromise private wallet keys, as it is related to library code and has nothing to do with gadgets.

This is not the first time a theft of funds has occurred with the Ledger brand. For example, in November, users lost $768,000 due to a fake Ledger app in the Microsoft Store.

DeFi and Web3 have many risks and possible vulnerabilities. Here is our friendly reminder: always keep an eye on the socials of the services you use, and in similar cases, do not use any dApps until the situation is resolved. Also, read our article Crypto scam: how to protect yourself.
 

👀 You might also like:

Ledger Recover feature comes by the end of 2023

User lost $24 million due to phishing attack

What’s wrong with Binance Web3 Wallet

Maria Kachura
Maria Kachura

Visit her on Facebook or hit her up via Email.

0
Share this post
Similar articles
Best investment options for 2023
Markets
16 February, 2023
Best investment options for 2023
Let’s explore all the pros and cons of currencies, cryptocurrencies, stocks, real estate, and precious metals.
The difference between coin and token: understanding crypto assets
Learn
24 April, 2024
The difference between coin and token: understanding crypto assets
Discover the key differences between coins and tokens in the cryptocurrency ecosystem. Learn about their features, roles, and examples in this comprehensive guide.
NFT NYC 2022!🌐🦄
Events
20 June, 2022
NFT NYC 2022!🌐🦄
NFT NYC 2022.
AIBC Americas 2022
Events
8 June, 2022
AIBC Americas 2022
AIBC Americas 2022.
ETH NEW YORK 2022 🌐🦄
Events
24 June, 2022
ETH NEW YORK 2022 🌐🦄
ETH NEW YORK 2022.
Top 5 NFT games in 2024: the future of blockchain gaming
Learn
19 June, 2024
Top 5 NFT games in 2024: the future of blockchain gaming
In this guide, the itez team has gathered the freshest and most exciting information about the Play-to-Earn (P2E) segment and NFT games.