A major security breach in the Ledger hardware wallet was exploited early on Thursday, affecting a number of popular Ethereum-based DeFi applications: Zapper, SushiSwap, Phantom, and Balancer, among others, were compromised, leading to massive liquidations in crypto markets.
(Source)
Just last week, CoinDesk listed Ledger CEO Pascal Gauthier and several impacted DeFi protocols on its annual Most Influential list.
But what exactly happened there?
“Today we experienced an exploit on the Ledger Connect Kit, a Javascript library that implements a button allowing users to connect their Ledger device to third party DApps (wallet-connected Web sites).
This exploit was the result of a former employee falling victim to a phishing attack, which allowed a bad actor to upload a malicious file to Ledger’s NPMJS (a package manager for Javascript code shared between apps),” — Pascal Gauthier, CEO of Ledger.
Hackers inserted malicious code into the GitHub library for Connect Kit, a widely-used blockchain software developed by Ledger. Connect Kit is a crucial tool enabling DeFi protocols to connect to crypto hardware wallets.
In creating Web3 apps, developers commonly employ the use of open-source ‘connect kits’ to allow their apps to connect with users’ wallets. These kits are stock pieces of code that can be installed in multiple apps, allowing them to handle the connection process without spending time writing code.
Thus, such a “supply chain” vulnerability potentially jeopardizes the front-end part of all protocols that use the Connect Kit, including Sushi, Lido, Metamask, and Coinbase.
For details, refer to this Cointelegraph article.
But why not look on the bright side of life? Tether is always here and ready to helpfully freeze any USDT tokens in minutes – to the pleasure and relief of true fans of decentralized finance.
And yet,
“The standard practice at Ledger is that no single person can deploy code without review by multiple parties. We have strong access controls, internal reviews, and code multi-signatures when it comes to most parts of our development. This is the case in 99% of our internal systems. Any employee who leaves the company has their access revoked from every Ledger system.
This was an unfortunate isolated incident. It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes,” — Pascal Gauthier, CEO of Ledger.
The problem was fixed in about several hours on Thursday; here, one can find a final timeline from Ledger.
However, considering the nature of the vulnerability, it is crucial to be careful with any applications that may include compromised versions of the Connect Kit.