A security flaw in the Ledger connector library has alarmed the crypto community and raised serious questions about basic security.
Earlier today, crypto hardware wallet maker Ledger confirmed that its Connector library had been compromised, with attackers replacing the real version with a malicious file. After the incident, multiple decentralized applications (dApps) faced potential exploits, and attackers successfully stole more than $500,000 from multiple wallets.
In this report, we will bring you the details of the incident, key events and its impact.
What happened
In a detailed post on social media platform
The hackers then released a tampered version of the Ledger Connect Kit that contained malicious code. This code was used in a deceptive WalletConnect that redirected funds to a hacker-controlled wallet.
These malicious versions deceive users by displaying false prompts when connecting to a decentralized application (dApp) frontend, leading them to unintentionally approve fake transactions. Clicking on these prompts can result in inadvertently signing a transaction that could result in the user's wallet being emptied.
However, the security breach does not directly affect Ledger wallets or leak seed phrases. The risk only arises when the user connects the wallet to the dApp.
Ledger solves this problem
Ledger said it quickly replaced the malicious Ledger Connect Kit with a genuine version. The hardware wallet maker confirmed the fix and promised to release a full report soon.
"Ledger's technical and security teams were alerted and deployed a fix within 40 minutes of Ledger becoming aware of it. The malicious file lived for approximately five hours, but we believe the time the funds were depleted was limited to less than two Hours."
Additionally, users are reminded to clearly sign their transactions to ensure consistency between the information displayed on their computer or phone screen and that displayed on their Ledger device. Users are advised to avoid using cached malicious libraries and clear the cache if it has been used.
In a post-mortem letter, Ledger CEO Pascal Gauthier acknowledged that his company's security practices failed during this "unfortunately isolated incident." He outlined plans to implement "stronger security controls" while calling for industry-wide adoption of more secure "clear signature" standards, which could prevent unauthorized transactions.
$610,000 stolen
Despite the fixes and concerns raised about a compromise, on-chain analysis revealed that a total of $610,000 was stolen from various wallets.
The attacker's wallet, also labeled "Ledger Exploiter" on Etherscan, had a balance of more than $330,000 at press time, according to DeBank.
Tether CEO Paolo Ardoino revealed that the stablecoin issuer immediately froze the attacker’s wallet. “Tether just froze the attacker’s address on Ledger,” Ardoino said. The wallet currently contains approximately $44,000 worth of USDT.
The freeze means the wallet can no longer send USDT to other addresses. However, it can continue with other transactions.
Does your Ledger wallet still work?
As stated, the security breach did not directly affect Ledger wallets or leak mnemonic phrases. This means Ledger users can continue to use their hardware wallets.
However, they are advised to avoid interacting with decentralized applications until further notice from these platforms.
Meanwhile, Ledger informed developers that a real version of the compromised Connect Kit had spread automatically. The company added: "We recommend waiting 24 hours before using the Ledger Connect Kit again." #Ledger #漏洞
