The recent attack on Ledger’s connector library, a crypto wallet company, may have an impact on the entire Ethereum Virtual Machine (EVM) ecosystem, according to an analysis by Linea team, an EVM-compatible layer-2 vertical scaling solution for Ethereum.
Web3 security firm Blockaid was the first to discover what it referred to as a supply chain attack on Ledger’s Connect Kit, affecting several decentralized apps (dApps).
“Blockaid has identified a suspected supply chain attack on Ledger Connect Kit. Their team has detected potential malicious activities within Ledger connect-kit SDK impacting several decentralized applications (dApps). They have promptly initiated investigations to analyze the attack method,” the security firm said in a note to the International Business Times.
The malicious actor targeted Ledger’s connector library, designed to facilitate communication between physical wallets and multiple decentralized apps.
“We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps at the moment. We will keep you informed as the situation evolves,” Ledger said in a tweet, confirming Blockaid’s information.
After Ledger confirmed the attack and deployed an update to fix the compromised library, wallet provider Metamask claimed that it had also been affected by the incident.
Metamask alerted its users and advised: “Please ensure that you have the Blockaid feature turned on in MetaMask Extension before performing any transactions on MetaMask Portfolio. The MetaMask Portfolio team is on it and has a fix in place that will be rolled out today.”
If you’re a MetaMask user: Please ensure that you have the Blockaid feature turned on in MetaMask Extension before performing any transactions on MetaMask Portfolio. The MetaMask Portfolio team is on it and has a fix in place that will be rolled out today.
— MetaMask 🦊🫰 (@MetaMask) December 14, 2023
This was confirmed by the Linea team which said: “It looks like this vulnerability is affecting multiple dapps across the whole EVM ecosystem. It is very risky to interact with any dapps until the issue is properly addressed.”
To all web3 users,
It looks like this vulnerability is affecting multiple dapps across the whole EVM ecosystem. It is very risky to interact with any dapps until the issue is properly addressed.Stay safe out there! https://t.co/kFykLW4lWm
— Linea (@LineaBuild) December 14, 2023
Aside from Ledger and Metamask, several other protocols were impacted by the Ledger security incident, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash.
As of 9:33 a.m. ET on Thursday, on-chain sleuth who uses the X handle @ZachXBT shared that the incident allowed the malicious actor to drain some $610,000 in funds.
Moreover, the cryptocurrency market saw up to $60 million in liquidated positions on an hour scale as the broader crypto market dumped following the news.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023
Ledger said the latest attack was due to a former employee who “fell victim to a phishing attack that gained access to their NPMJS account,” adding, “The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.”
