Security issue in Ledger ConnectKit library affects multiple decentralized applications

A critical Web3 security issue emerged today, reportedly affecting several decentralized applications. The issue was related to a software library from the hardware wallet provider Ledger that dapps relied on.

The incident allowed malicious code to be injected into numerous dapps on their front-ends, posing a significant risk to users and their assets. Consequently, front ends to multiple dapps could be vulnerable if used. Projects like Kyber and RevokeCash confirmed on X that they disabled their front-ends.

Security firm Blockaid described it as a “supply chain attack” on Ledger ConnectKit — wherein an attacker replaced the library software with malicious code to drain assets.

The issue may have emerged due to an alleged compromise of a specific content delivery network (CDN) that hosted the said software library, according to Sushi’s chief technology officer Matthew Lilley. “LedgerHQ/connect-kit loads JS [JavaScript] from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps,” Lilley said. He added that any dApp which makes use of LedgerHQ/connect-kit was vulnerable.

Blockaid estimated that $150,000 had been lost in the first couple of hours of the incident. Later the stolen value of funds rose to over half a million dollars. Stablecoin issuer Tether blacklisted the hacker's address.

Ledger responds

A software patch has been finalized in an update and may need to be adopted by dapps before conditions are safe. “We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now,” Ledger said in a statement.

Meanwhile, Lilley and others have warned users to avoid interacting with any dapps until further notice.

MetaMask, the most widely used web3 wallet app said the incident affects all users, not just Ledger. It has deployed a fix for its app and asked users to update to the latest version.