Users Asked to Avoid Interaction With dApps Due to a Compromise
Lilley wrote on X (Twitter):
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
The SushiSwap CTO later clarified that dApps using Ledger ConnectKit are vulnerable. He warned:
This isn’t a single isolated attack, it’s a large-scale attack on multiple dApps.
The Web3 security firm Blockaid suspects a potential supply chain attack on the Ledger ConnectKit. It wrote:
The attacker injected a wallet-draining payload into the popular NPM package. This currently affects a couple of popular dapps including but not limited to Hey.xyz, and Sushi.com.
Furthermore, Blockaid shared with BeInCrypto that over $150,000 worth of funds have been lost in the past two hours. Also, Revoke.cash confirmed that it had been compromised. Meanwhile, it also urged the users to avoid using any crypto website until there is further clarity.
Lilley tried to summarise the incident in three points, saying that Ledger made “a chain of terrible blunders.” He said:
- They are loading JS from a CDN
- They are not version-locking loaded JS.
- They had their CDN compromised.
Finally, Ledger informed the users that it had identified and removed the malicious version of the ConnectKit. It wrote on X (Twitter):
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and Ledger Live were not compromised.
Do you have anything to say about dApps compromise or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).
Best crypto platforms in Europe | December 2023
KuCoin Explore →
Dukascopy Explore →
Wirex App Explore →
YouHodler Explore →
Margex Explore → Explore more