NewsletterRug Pull Alert: Multiple Protocols Affected in Ledger ConnectKit Attack
In a recent and alarming development, the Decentralized Finance (DeFi) space faced a rug-pull security breach with a supply chain attack on the Ledger ConnectKit.
The Ledger ConnectKit Attack Unveiled
The vulnerability, now labeled a “supply chain attack,” poses a serious risk to users and their assets, potentially allowing malicious code injection into various Decentralized Applications (dApps). The compromised package identified in the attack is LedgerHQ’s ConnectKit, specifically versions greater than 1.1.4, according to Web3 security firm, Blockaid.
🚨 We've detected a potential supply chain attack on ledgerconnect kit 🚨
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T— Blockaid (@blockaid_) December 14, 2023
The impact of the supply chain attack on Ledger ConnectKit was felt across various DeFi protocols. Blockaid mentioned that SushiSwap, Kyber, RevokeCash, and Zapper were among the vulnerable decentralized exchanges.
Reacting promptly to the threat, Kyber and RevokeCash disabled their front ends. It is worth noting that this vulnerability comes only shortly after KyberSwap fell victim to a major exploit that resulted in the loss of around $46 million in various cryptocurrencies.
Blockaid estimates that approximately $150,000 has been lost within just a few hours, emphasizing the immediate and widespread impact of the attack. The security firm was quick to assure users of Blockaid-enabled wallets that they are protected from this specific threat, but the broader implications of this attack could pose substantial risks to the broader Web3 ecosystem.
The origin of the vulnerability traces back to the use of a specific Content Delivery Network (CDN) to host the Ledger ConnectKit software library. Matthew Lilly, the Chief Technology Officer of Sushi, explained,
“LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.”
Ledger Unveils Response and Recovery Efforts
In response to the attack, Ledger issued a statement acknowledging the compromise and assuring users that a genuine version of the Ledger ConnectKit is being pushed to replace the malicious file. A software patch has also been developed to address the vulnerability.
As a precautionary measure, users are strongly advised to refrain from interacting with any dApps associated with the Ledger ConnectKit until further notice. The incident highlights the importance of continuous security audits, proactive measures, and swift responses to emerging threats to safeguard the integrity of decentralized financial systems.
Why Trust CoinGape
CoinGape has covered the cryptocurrency industry since 2017, aiming to provide informative insights Read more… to our readers. Our journal analysts bring years of experience in market analysis and blockchain technology to ensure factual accuracy and balanced reporting. By following our Editorial Policy, our writers verify every source, fact-check each story, rely on reputable sources, and attribute quotes and media correctly. We also follow a rigorous Review Methodology when evaluating exchanges and tools. From emerging blockchain projects and coin launches to industry events and technical developments, we cover all facets of the digital asset space with unwavering commitment to timely, relevant information.
Premium Partners
Delivered every day.
- Insights that move markets
- 100,000 active subscribers
Related Articles
- Breaking: Michael Saylor’s Strategy Buys 10,645 Bitcoin as Crypto Market Braces for Japan Rate Hike
- Breaking: Institutional Tokenization on Ethereum Expands as JPMorgan Launches Onchain Fund
- World’s Highest IQ Holder Projects $100 XRP in 5 Years, What Does He Know?
- Is the DeFi Giant Aave Protocol In Trouble and a Price Crash Looms?
- UK Treasury Introduces Crypto Bill Following US Playbook- Is It Already Too Late?
- Is Ethereum Price Set for a Rebound as a Prominent Whale Accumulates $119M After the Dip?
- XRP Spot ETF Records Nearly $1B Inflows While BTC and ETH Bleed- Is A XRP Price Reversal Ahead?
- Bitwise SOL ETF Records 33 Days of Nonstop Inflows- Is A Recovery to $150 Possible?
- Will Bittensor Price Break Above $400 After First TAO Halving Tomorrow?
- Expert Predicts Bitcoin Price Crash to $75k as ETF Inflows Fall, Treasury Companies Plunge 83%
- HYPE Price Jumps 8% as Open Interest Hits $1.61B — Is $50 Next?
