Multiple DApps using the Ledger connector library compromised

SushiSwap, Zapper, Balancer, and Revoke.cash among the affected DApps

Several decentralized applications (DApps), including popular ones like SushiSwap, Zapper, Balancer, and Revoke.cash, have fallen victim to a compromise in the front-end caused by the Ledger connector library. On December 14, it was discovered that these DApps had been injected with malicious code, putting users at risk.

Compromise traced back to a vulnerable Web3 connector

Mathew Lilley, the chief technical officer of SushiSwap, reported the compromise and pointed out that a commonly used Web3 connector had been compromised, allowing the injection of malicious code into multiple DApps. The Ledger library confirmed the compromise, which resulted in the insertion of a drainer account address.

CTO blames Ledger for vulnerability

The CTO of SushiSwap blamed Ledger for the ongoing vulnerability and compromise on multiple DApps. According to the CTO, Ledger's content delivery system (CDN) was compromised, and a series of mistakes were made, including loading JavaScript from a compromised CDN without version-locking the loaded JS.

Wallet drainer added to Ledger connector library

The Ledger connector library, which is widely used by many DApps and maintained by Ledger, had a wallet drainer added to it. This means that draining funds from a user's account would not happen automatically. However, browser wallets like MetaMask could still display prompts and potentially give malicious actors access to users' assets.

Users advised to avoid affected DApps

On-chain analysts have warned users to avoid using any DApps that rely on the Ledger connector library. They also noted that the connect-kit-loader is vulnerable, and any DApp using LedgerHQ/connect-kit is at risk. This is not an isolated attack but a large-scale one affecting multiple DApps.

Updates required for projects using Ledger's library

Hudson Jameson, the vice president of Polygon Labs, stated that even after Ledger fixes the compromised code in their library, projects using and deploying that library will need to update their systems before it is safe to use DApps that rely on Ledger's Web3 libraries.

Ledger takes action to address the issue

Ledger has acknowledged the vulnerability in its code and has removed the malicious version of the Ledger Connect Kit. They are currently pushing a genuine version to replace the compromised file. In the meantime, users are advised not to interact with any DApps. Ledger will continue to provide updates as the situation develops.

This is a developing story, and more information will be provided as it becomes available.