Hardware wallet provider Ledger has confirmed a vulnerability in its library that affected a number of Web3 decentralised applications (dApps).
The hacker managed the attack by publishing a malicious version of the Ledger Connect Kit.
When the Ledger team identified the same, it warned its users to not interact with any dApps while they worked on replacing the malicious file with a genuine version.
Various cryptocurrency experts, including on-chain investigator ZachXBT, also took notice of the vulnerability. Security firm Blockaid described it as a “supply chain attack” on Ledger’s Connect Kit where the attacker managed to replace the library software with malicious code to drain assets.
An estimate of $150,000 was said to be lost in the first couple of hours of the incident. Reportedly, this figure later rose to over half a million dollars as time passed.Â
The timeline
In a post made on its official X account, Ledger laid out the timeline of the hack to update its customers. It all started when a former employee fell victim to a phishing attack that gained access to their NPMJS account.
A malicious version of the Ledger Connect Kit was published by the attacker which affected versions 1.1.5, 1.1.6, and 1.1.7. They were able to reroute funds to their wallet via a code that used a rogue Wallet Connect project.
This compromised file was live for around five hours. However, Ledger believes the window where funds were being drained to be a limited period of less than two hours. It soon alerted its security teams and a fix was deployed within 40 minutes of Ledger becoming aware.
The company then coordinated with Wallet Connect to quickly disabled the the rogue project. Soon after, a genuine and verified Ledger Connect Kit version 1.1.8 was released, which is now safe to use.
Users have been advised to wait for 24 hours until using the Ledger Connect Kit again. It gave specific instructions to builders and developers:
“For builders who are developing and interacting with the Ledger Connect Kit code: connect-kit development team on the NPM project are now read-only and can’t directly push the NPM package for safety reasons. We have internally rotated the secrets to publish on Ledger’s GitHub. Developers, please check again that you’re using the latest version, 1.1.8.”
The aftermath
The bad actor’s wallet has been reported by Ledger, along with Wallet Connect and its other partners. The address has been made visible on blockchain data platform Chainalysis. Stablecoin issuer Tether has also frozen the bad actor’s $USDT.
The team seeks to file a complaint and is currently working with law enforcement on the investigation to find the attacker. To its affected users, it said:
“We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time.”
While official figures of the amount lost has not been revealed by Ledger yet, ZachXBT reported saying that over $610K appears to have already been drained.
The wallet provider also thanked the community that helped identify the attack in a message saying: “We’re studying the exploit in order to avoid further attacks…..Security will always prevail with the help of the whole ecosystem.”
