More decentralized applications (DApps) have temporarily disabled their front-end UI for Ledger Connect amid an exploit on December 14.
Developers of the OpenSea non-fungible token (nft) platform saying on December 14 that users “should not connect to any dApps using Ledger Connect until further notice.”
Meanwhile, decentralized finance (DeFi) protocol Lido Finance fixed its “interfaces have been shut down as a precaution while the Ledger connection issue is investigated.”
Earlier in the day, the interfaces of Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash were compromised as part of the Ledger Connect exploit. Ledger has since fixed that the exploit has been patched and that the problem arises from a “malicious version of the Ledger Connect Kit.”
“A genuine version is now being released to replace the malicious file. Do not interact with any dApps at this time. We will keep you informed as the situation evolves.”
Preliminary reports say that the attack has depleted at least $484,000 in digital assets. Tether, the issuer of the Tether stablecoin (USDT), has since frozen the address of the operator. According to Ledger developers, a “genuine version” of the Ledger Connect kit is “now propagating automatically.” That being said, users are advised to wait 24 hours before using the kit again.
The feat has been attributed to a phishing attack on a former Ledger employee, which allowed hackers to access sensitive information. “We are filing a report and working with authorities in the investigation to find the attacker,” the developers wrote. An estimated two hours passed between the drain of funds and the time a fix was implemented.
FINAL SCHEDULE AND UPDATE FOR CUSTOMERS:
16:49 CET:
The original version 1.1.8 of the Ledger Connect Kit is now propagating automatically. We recommend waiting 24 hours before using the Ledger Connect kit again.
The investigation continues, here is the timeline of what we know about…
– Ledger (@Ledger) December 14, 2023
Related: Fake Ledger Live app sneaks into Microsoft app store and $588,000 stolen
