The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, Sushiswap, and Revoke.cash, was compromised on Dec. 14.
SushiSwap chief technical officer Mathew Lilley reported that a commonly used Web3 connector has been compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.
RED ALERT :
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I’m Software (@MatthewLilley) December 14, 2023
SushiSwap CTO blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. The CTO claimed that Ledger’s content delivery system (CDN) was compromised followed by a a chain of terrible blunders – where they first loaded java script from a compromised CDN while not version-locking loaded JS.
Ledger connector is a library used by many DApps and maintained by Ledger. A wallet drainer has been added, so the draining from a user’s account might not happen on its own. However, prompts from a browser wallet (like MM) will display and could give malicious actors access to the assets.
On-chain analysts warned users to avoid any DApps using the Ledger connector, adding that the connect-kit-loader is also vulnerable.
seems like the Ledger’s @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. pic.twitter.com/AsbA675D9Q
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023
This is a developing story, and further information will be added as it becomes available.