Rug Pull Alert: Multiple Protocols Affected in Ledger ConnectKit Attack
In a recent and alarming development, the Decentralized Finance (DeFi) space faced a rug-pull security breach with a supply chain attack on the Ledger ConnectKit.
The Ledger ConnectKit Attack Unveiled
The vulnerability, now labeled a “supply chain attack,” poses a serious risk to users and their assets, potentially allowing malicious code injection into various Decentralized Applications (dApps). The compromised package identified in the attack is LedgerHQ’s ConnectKit, specifically versions greater than 1.1.4, according to Web3 security firm, Blockaid.
🚨 We've detected a potential supply chain attack on ledgerconnect kit 🚨
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T— Blockaid (@blockaid_) December 14, 2023
The impact of the supply chain attack on Ledger ConnectKit was felt across various DeFi protocols. Blockaid mentioned that SushiSwap, Kyber, RevokeCash, and Zapper were among the vulnerable decentralized exchanges.
Reacting promptly to the threat, Kyber and RevokeCash disabled their front ends. It is worth noting that this vulnerability comes only shortly after KyberSwap fell victim to a major exploit that resulted in the loss of around $46 million in various cryptocurrencies.
Blockaid estimates that approximately $150,000 has been lost within just a few hours, emphasizing the immediate and widespread impact of the attack. The security firm was quick to assure users of Blockaid-enabled wallets that they are protected from this specific threat, but the broader implications of this attack could pose substantial risks to the broader Web3 ecosystem.
The origin of the vulnerability traces back to the use of a specific Content Delivery Network (CDN) to host the Ledger ConnectKit software library. Matthew Lilly, the Chief Technology Officer of Sushi, explained,
“LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.”
Ledger Unveils Response and Recovery Efforts
In response to the attack, Ledger issued a statement acknowledging the compromise and assuring users that a genuine version of the Ledger ConnectKit is being pushed to replace the malicious file. A software patch has also been developed to address the vulnerability.
As a precautionary measure, users are strongly advised to refrain from interacting with any dApps associated with the Ledger ConnectKit until further notice. The incident highlights the importance of continuous security audits, proactive measures, and swift responses to emerging threats to safeguard the integrity of decentralized financial systems.
- Michael Saylor Predicts Bitcoin Will Outperform S&P 500 Forever
- Crypto Market Eyes Upside as FTX Set to Repay $1.6B to Customers
- Elon Musk’s X Vows Crackdown on Bribery Network Behind Crypto Scam Accounts
- Flare Unveils First XRP-Backed Stablecoin, Boosting XRP’s Utility
- MLP Bets Big on Climate Change: Favours Play-To-Impact, Over Play-To-Earn
- Chainlink Price Prediction: Whales Scoop 2M LINK as Analysts Eye 184% Breakout Rally
- Shiba Inu (SHIB) Price Prediction: Massive SHIB Burn and 80-Week Cycle Mirroring Past Rallies: Will History Repeat?
- Cardano Price Stays Above Ichimoku Cloud as Grayscale ADA ETF Approval Nears
- HBAR Price Prediction as SEC Approves Generic ETF Framework – Analyst Targets $1.80
- Toshi Coin Gains 57% in One Day: What’s Driving the Sudden Upside?
- Shiba Inu Price Set to Soar as Exchange Reserves Dive Amid SHIB ETF Chatter
Why Trust CoinGape
CoinGape has covered the cryptocurrency industry since 2017, aiming to provide informative insights Read more…to our readers. Our journal analysts bring years of experience in market analysis and blockchain technology to ensure factual accuracy and balanced reporting. By following our Editorial Policy, our writers verify every source, fact-check each story, rely on reputable sources, and attribute quotes and media correctly. We also follow a rigorous Review Methodology when evaluating exchanges and tools. From emerging blockchain projects and coin launches to industry events and technical developments, we cover all facets of the digital asset space with unwavering commitment to timely, relevant information.
