- A vulnerability in Ledger’s connector library Ledger Connect allowed hackers to drain funds from decentralized apps (dApps) that used the library on December 14th. Many dApps have temporarily disabled Ledger Connect in response.
- The exploit impacted protocols like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. In total, the hacker behind the attack reportedly drained at least $484,000.
- Ledger has attributed the exploit to a phishing attack on a former employee. The company has deployed a fix but the full impact remains unclear due to Ledger Connect’s wide integration across dApps.
On December 14th, an exploit affecting Ledger’s connector library Ledger Connect allowed hackers to drain funds from decentralized apps (dApps) that integrated the library. In response, many dApps have temporarily disabled Ledger Connect while a fix is deployed. This article examines the exploit, which protocols were affected, and Ledger’s response.
The Exploit
Reports emerged on social media of a compromised Web3 connector injecting malicious code into multiple dApps. Protocols affected include Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. The vulnerability potentially existed in other LedgerHQ/connect-kit alternatives too. MetaMask also confirmed its users were impacted. In total, the hacker behind the attack reportedly drained at least $484,000 according to blockchain analysis platform Lookonchain, although Ledger has not confirmed figures.
Ledger’s Response
Around 1:35pm UTC, Ledger reported that the malicious file had been replaced with the genuine version. The company warned users to always double check transaction details on their Ledger device screens before approving anything. Ledger also recommended waiting 24 hours before using the Ledger Connect Kit again. Several protocols like Tether disabled Ledger Connect as a precaution until the issue was fixed. Ledger attributed the exploit to a phishing attack on a former employee and is working with law enforcement.
Conclusion
The Ledger Connect exploit serves as another reminder for users to be vigilant and cautious when approving transactions in DeFi. Although Ledger has deployed a fix, the full impact of the breach remains unclear. Ledger Connect’s integration across many dApps likely amplified the damage. For now, users should heed Ledger’s advice and refrain from interacting with any dApps using Ledger Connect until further notice.
