Ledger Releases New Connect Kit Version to Mitigate Hack Impact

Ledger has replaced its malicious ConnectKit with a new version as a way of managing the impact of the malicious hack it suffered earlier today. 

Ledger Requests Move to Version 1.1.8

The protocol took to the X app to inform the public that the latest Connect Kit genuine version 1.1.8 has been rolled out. Users are advised to update their app and wait for 24 hours before trying to use the software again. Also, Ledger has assured users of an ongoing investigation to understand the extent of the attack and the level of impact on the protocol.

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about…

— Ledger (@Ledger) December 14, 2023

Ledger offered a timeline detailing how the attack went down as well as how it was discovered. The Ledger ConnectKit was attacked in a rug-pull security breach which resulted in an initial loss of about $150,000. A former Ledger employee fell victim to a phishing attack that granted the bad actor access to their NPMJS account. Next, a malicious version of the Ledger Connect Kit ranging from versions 1.1.5, 1.1.6, and 1.1.7 was published.

Immediately, the security team was contacted to salvage the situation, and “a fix was deployed within 40 minutes of Ledger becoming aware.” The attack was disabled in alliance with WalletConnect, a communication protocol for Web3.0. Tether has also helped in the freezing of the hacker’s wallet and reinforcing blockchain security

Proactive Moves from Impacted Ledger Clients

The vulnerability, now labeled by the protocol as a “supply chain attack,” was perceived to likely pose a serious threat to users and their assets since it involves the injection of malicious code into different Decentralized Applications (DApps). 

The vulnerability in the attack was later identified to have an impact on other protocols besides Ledger. Some impacted Decentralized Finance (DeFi) protocols were SushiSwap, Kyber, RevokeCash, and Zapper. Kyber, which was recently hacked to the tune of $46 million, and RevokeCash acted swiftly by deactivating their respective front ends.

Specifically, the exploit was discovered to affect LedgerHQ’s ConnectKit versions greater than 1.1.4, per findings from Blockaid. Many related crypto projects have boldly declared that they were not affected by the breach but it is worth noting that such attacks have dire consequences for the broader crypto ecosystem.