Rug Pull Alert: Multiple Protocols Affected in Ledger ConnectKit Attack

In a recent and alarming development, the Decentralized Finance (DeFi) space faced a rug-pull security breach with a supply chain attack on the Ledger ConnectKit.

The Ledger ConnectKit Attack Unveiled

The vulnerability, now labeled a “supply chain attack,” poses a serious risk to users and their assets, potentially allowing malicious code injection into various Decentralized Applications (dApps). The compromised package identified in the attack is LedgerHQ’s ConnectKit, specifically versions greater than 1.1.4, according to Web3 security firm, Blockaid.

The impact of the supply chain attack on Ledger ConnectKit was felt across various DeFi protocols. Blockaid mentioned that SushiSwap, Kyber, RevokeCash, and Zapper were among the vulnerable decentralized exchanges. 

Reacting promptly to the threat, Kyber and RevokeCash disabled their front ends. It is worth noting that this vulnerability comes only shortly after KyberSwap fell victim to a major exploit that resulted in the loss of around $46 million in various cryptocurrencies. 

Blockaid estimates that approximately $150,000 has been lost within just a few hours, emphasizing the immediate and widespread impact of the attack. The security firm was quick to assure users of Blockaid-enabled wallets that they are protected from this specific threat, but the broader implications of this attack could pose substantial risks to the broader Web3 ecosystem.

The origin of the vulnerability traces back to the use of a specific Content Delivery Network (CDN) to host the Ledger ConnectKit software library. Matthew Lilly, the Chief Technology Officer of Sushi, explained, 

“LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.”

Ledger Unveils Response and Recovery Efforts

In response to the attack, Ledger issued a statement acknowledging the compromise and assuring users that a genuine version of the Ledger ConnectKit is being pushed to replace the malicious file. A software patch has also been developed to address the vulnerability.

As a precautionary measure, users are strongly advised to refrain from interacting with any dApps associated with the Ledger ConnectKit until further notice. The incident highlights the importance of continuous security audits, proactive measures, and swift responses to emerging threats to safeguard the integrity of decentralized financial systems.