Rug Pull Alert: Multiple Protocols Affected in Ledger ConnectKit Attack
In a recent and alarming development, the Decentralized Finance (DeFi) space faced a rug-pull security breach with a supply chain attack on the Ledger ConnectKit.
The Ledger ConnectKit Attack Unveiled
The vulnerability, now labeled a “supply chain attack,” poses a serious risk to users and their assets, potentially allowing malicious code injection into various Decentralized Applications (dApps). The compromised package identified in the attack is LedgerHQ’s ConnectKit, specifically versions greater than 1.1.4, according to Web3 security firm, Blockaid.
🚨 We've detected a potential supply chain attack on ledgerconnect kit 🚨
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T— Blockaid (@blockaid_) December 14, 2023
The impact of the supply chain attack on Ledger ConnectKit was felt across various DeFi protocols. Blockaid mentioned that SushiSwap, Kyber, RevokeCash, and Zapper were among the vulnerable decentralized exchanges.
Reacting promptly to the threat, Kyber and RevokeCash disabled their front ends. It is worth noting that this vulnerability comes only shortly after KyberSwap fell victim to a major exploit that resulted in the loss of around $46 million in various cryptocurrencies.
Blockaid estimates that approximately $150,000 has been lost within just a few hours, emphasizing the immediate and widespread impact of the attack. The security firm was quick to assure users of Blockaid-enabled wallets that they are protected from this specific threat, but the broader implications of this attack could pose substantial risks to the broader Web3 ecosystem.
The origin of the vulnerability traces back to the use of a specific Content Delivery Network (CDN) to host the Ledger ConnectKit software library. Matthew Lilly, the Chief Technology Officer of Sushi, explained,
“LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.”
Ledger Unveils Response and Recovery Efforts
In response to the attack, Ledger issued a statement acknowledging the compromise and assuring users that a genuine version of the Ledger ConnectKit is being pushed to replace the malicious file. A software patch has also been developed to address the vulnerability.
As a precautionary measure, users are strongly advised to refrain from interacting with any dApps associated with the Ledger ConnectKit until further notice. The incident highlights the importance of continuous security audits, proactive measures, and swift responses to emerging threats to safeguard the integrity of decentralized financial systems.
- Breaking: Crypto Market Crashes as Trump Imposes 100% Tariff on China
- ASTER Airdrop Delayed to October 20 Amid Criticisms Over Token Allocations
- U.S. Inflation Data: BLS to Release CPI Report on October 24 Amid Government Shutdown
- Bank of America, Citigroup and Goldman Sachs Explore Issuing Stablecoins Pegged to G7 Currencies
- Breaking: Bitcoin Falls After Trump Threatens ‘Massive’ Increase in Tariffs on China
- Can $TAPZI Reach $1 In Q1 2026?
- Here’s Why XRP Price May Have a Zcash-Like Surge
- $TAPZI Price Prediction: What’s Ahead of the $TAPZI token Presale?
- Cardano Price Targets $2 as Hydra 1.0 Ignites New Era of Speed and Adoption
- Dogecoin Price Prediction as $23M Leaves Exchanges—Is the Parabolic Phase Beginning?
- Pi Network Price Collapses as Analyst Proposes Turnaround Tweaks
Why Trust CoinGape
CoinGape has covered the cryptocurrency industry since 2017, aiming to provide informative insights Read more…to our readers. Our journal analysts bring years of experience in market analysis and blockchain technology to ensure factual accuracy and balanced reporting. By following our Editorial Policy, our writers verify every source, fact-check each story, rely on reputable sources, and attribute quotes and media correctly. We also follow a rigorous Review Methodology when evaluating exchanges and tools. From emerging blockchain projects and coin launches to industry events and technical developments, we cover all facets of the digital asset space with unwavering commitment to timely, relevant information.
