MEXCRug Pull Alert: Multiple Protocols Affected in Ledger ConnectKit Attack
In a recent and alarming development, the Decentralized Finance (DeFi) space faced a rug-pull security breach with a supply chain attack on the Ledger ConnectKit.
The Ledger ConnectKit Attack Unveiled
The vulnerability, now labeled a “supply chain attack,” poses a serious risk to users and their assets, potentially allowing malicious code injection into various Decentralized Applications (dApps). The compromised package identified in the attack is LedgerHQ’s ConnectKit, specifically versions greater than 1.1.4, according to Web3 security firm, Blockaid.
🚨 We've detected a potential supply chain attack on ledgerconnect kit 🚨
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T— Blockaid (@blockaid_) December 14, 2023
The impact of the supply chain attack on Ledger ConnectKit was felt across various DeFi protocols. Blockaid mentioned that SushiSwap, Kyber, RevokeCash, and Zapper were among the vulnerable decentralized exchanges.
Reacting promptly to the threat, Kyber and RevokeCash disabled their front ends. It is worth noting that this vulnerability comes only shortly after KyberSwap fell victim to a major exploit that resulted in the loss of around $46 million in various cryptocurrencies.
Blockaid estimates that approximately $150,000 has been lost within just a few hours, emphasizing the immediate and widespread impact of the attack. The security firm was quick to assure users of Blockaid-enabled wallets that they are protected from this specific threat, but the broader implications of this attack could pose substantial risks to the broader Web3 ecosystem.
The origin of the vulnerability traces back to the use of a specific Content Delivery Network (CDN) to host the Ledger ConnectKit software library. Matthew Lilly, the Chief Technology Officer of Sushi, explained,
“LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.”
Ledger Unveils Response and Recovery Efforts
In response to the attack, Ledger issued a statement acknowledging the compromise and assuring users that a genuine version of the Ledger ConnectKit is being pushed to replace the malicious file. A software patch has also been developed to address the vulnerability.
As a precautionary measure, users are strongly advised to refrain from interacting with any dApps associated with the Ledger ConnectKit until further notice. The incident highlights the importance of continuous security audits, proactive measures, and swift responses to emerging threats to safeguard the integrity of decentralized financial systems.
- $7B Virtu Financial Holds $63M XRP as Whales Accelerate Daily Sell-Off
- Breaking: Coinbase Nears $2B Deal to Buy Stablecoin Platform BVNK
- Coinbase CLO Fires Back at Senator Murphy Over ‘Corruption Factory’ Claim
- Crypto Prices Rise: Why Are BTC, ETH, LTC, XRP, SHIB, and ADA Up Today?
- Michael Saylor’s Strategy Eyes S&P 500 Spot Amid Bitcoin-Backed Credit Products Launch
- Pepe Coin Price Forms Multi-Year H&S Pattern as Whale Selling Intensifies
- Ethereum Price Forecast: $5K in Sight Post-Fusaka Upgrade
- Chainlink Price Eyes $25 as AllUnity Integrates CCIP for EURAU Expansion
- Sei Price Forecast: Will Robinhood Listing Spark a Rally?
- XRP Price Outlook as ETF Nears Possible November 13 Launch
- Cardano Price Risks 20% Crash Amid Death Cross and Falling ADA ETF Odds
Why Trust CoinGape
CoinGape has covered the cryptocurrency industry since 2017, aiming to provide informative insights Read more…to our readers. Our journal analysts bring years of experience in market analysis and blockchain technology to ensure factual accuracy and balanced reporting. By following our Editorial Policy, our writers verify every source, fact-check each story, rely on reputable sources, and attribute quotes and media correctly. We also follow a rigorous Review Methodology when evaluating exchanges and tools. From emerging blockchain projects and coin launches to industry events and technical developments, we cover all facets of the digital asset space with unwavering commitment to timely, relevant information.
