The attack on Ledger’s connector library may be impacting the whole Ethereum Virtual Machine (EVM) ecosystem, according to the Linea team, a zero-knowledge rollup by Consensys.
The hacker targeted the Ledger connector library, which was designed to enable communication between Ledger hardware wallets and various decentralized applications (DApps). Wallet provider MetaMask has also been affected by the security incident.
To all web3 users,
It looks like this vulnerability is affecting multiple dapps across the whole EVM ecosystem. It is very risky to interact with any dapps until the issue is properly addressed.Stay safe out there! https://t.co/kFykLW4lWm
— Linea (@LineaBuild) December 14, 2023
According to a post on X (formerly Twitter), MetaMask deployed an update to fix the issue, saying users on the latest version v2.121.0 would automatically be updated and should be able “to transact again.” Users of previous versions should “refresh your site data.”
Other affected protocols include Zapper, SushiSwap, Phantom, Balancer and Revoke.cash. Blockchain security firm Certik told Cointelegraph that any DApp importing the ledger CDN will automatically execute the drainer code, prompting victims to connect via any wallet they support.
Ledger is a popular hardware wallet used by many in the crypto community. Its connector library is a critical component that interfaces between the Ledger hardware and various DApps. This library could affect a large number of EVM users and transactions if compromised.
The attack was initiated after a former Ledger employee was phished and their NPMJS account was compromised. “The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet,” the company wrote on X.
A fix was released nearly 40 minutes after the issue was discovered by Ledger. The company is warning users to wait 24 hours before using its Ledger Connect Kit again.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023
Blockchain analytics platform Lookonchain claimed the hacker has stolen assets worth nearly $484,000, but the impact of the security breach could be bigger, noted Ledger.
Magazine: 2 years after John McAfee’s death, widow Janice is broke and needs answers