Popular Hardware Wallet Manufacturer Ledger have advised users not to connect to dApps for the next 24 hours after rolling out an urgent fix to rectify a compromised version of their Ledger Connect Kit library.
This library, used by companies like MetaMask, Coinbase, Lido and others to connect their services to hardware wallets, was compromised following a phishing attack on a former Ledger employee, and the hacker posted a malicious file that drained the user wallets.
A secure version of the Ledger Connect Kit has now been automatically distributed to users, and Ledger is publishing a timeline of events and its initial investigation.
FINAL SCHEDULE AND UPDATE FOR CUSTOMERS:
16:49 CET:
The original version 1.1.8 of the Ledger Connect Kit is now propagating automatically. We recommend waiting 24 hours before using the Ledger Connect kit again.
The investigation continues, here is the timeline of what we know about…
– Ledger (@Ledger) December 14, 2023
When was the threat identified and resolved?
The threat was publicly identified by Matthew Lilley, CTO of the Sushi decentralized exchange (formerly SushiSwap), today at 12:30 pm GMT.
In a now-deleted tweet, MetaMask announced that they had released an update to their service to protect their users shortly after, and a number of other web3 services announced whether or not they were affected.
Ledger announced a fix at 1:35 pm GMT and posted a timeline of events at 3:49 pm GMT, stating that they had implemented a fix within 40 minutes of becoming aware of the issue, and that although the file malicious was active for approximately 5 hours, “the window in which funds were drained was limited to a period of less than two hours.”
RED ALERT :
Please do not interact with ANY dApp until further notice. It appears that a commonly used web3 connector has been compromised, allowing the injection of malicious code affecting numerous dApps.
– I am software (@MatthewLilley) December 14, 2023
How can I protect my assets?
If you use a Ledger hardware wallet, or any of the popular services that use Ledger Connect Kit (including MetaMask, Coinbase, Lido and others), as per Ledger's recommendation, do not connect to or use any dApp for the next 24 hours.
Many of the most popular web3 services have released statements about whether or not they are affected. If you have any concerns, please check the latest information for the services you use before connecting your wallet.
To help prevent future attacks, Ledger has recommended using Clear Signing, its plain language transaction signing method, whenever possible, and “using an additional Ledger mint wallet” if you need to blindly sign any transactions.
Ledger has stated that they are “actively speaking to customers whose funds may have been affected” and will work proactively to “assist those individuals at this time.”
They want more? Connect with nft Plazas
Join the weekly newsletter
Follow us on Twitter
Like us on Facebook
Follow us on Instagram
*All financial/investment opinions expressed by nft Plazas come from the personal research and experience of our site moderators and are intended to be educational material only. People should thoroughly research any product before making any type of investment.
Director of operations at nft Plazas. Bullish on web3. Competitive soul.
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;n.queue=();t=b.createElement(e);t.async=!0;t.src=v;s=b.getElementsByTagName(e)(0);s.parentNode.insertBefore(t,s)}(window,document,’script’,’https://connect.facebook.net/en_US/fbevents.js?v=next’);
