Decentralized Applications Temporarily Pause Ledger Connect Due to Exploit

OpenSea and Lido Finance Among DApps Taking Precautionary Measures

Several decentralized applications (DApps) have decided to disable their front-end user interface for Ledger Connect following an exploit that occurred on December 14. OpenSea, a nonfungible token (NFT) platform, issued a warning advising users not to connect to any dApps using Ledger Connect until further notice. Similarly, Lido Finance, a decentralized finance (DeFi) protocol, shut down its front-ends as a precautionary measure while investigating the Ledger Connect issue.

Multiple DApps Affected by Exploit

Throughout the day, several DApps including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash experienced compromises to their front ends as part of the Ledger Connect exploit. Ledger, the company behind Ledger Connect, has confirmed that the exploit has been patched. The issue was traced back to a "malicious version of the Ledger Connect Kit."

Significant Losses and Frozen Assets

Early reports suggest that the attack resulted in the draining of at least $484,000 in digital assets. Tether, the issuer of the Tether (USDT) stablecoin, took action by freezing the exploiter's address. Ledger developers have since released a "genuine version" of the Ledger Connect Kit, which is now being automatically propagated. However, users are advised to wait 24 hours before using the kit again.

Phishing Attack and Ongoing Investigation

The exploit has been linked to a phishing attack on a former Ledger employee, which allowed hackers to gain access to sensitive information. Developers are taking the incident seriously and have stated that they are filing a complaint and cooperating with law enforcement to track down the attacker. Approximately two hours passed between the funds being drained and the implementation of a fix.