Editor's Pick

Breaking: Ledger Removes Bug Allowing Popular Decentralized Applications To Be Compromised – Here’s the Latest

Source: iStock / welcomia

Multiple popular decentralized applications (dApps) have been compromised following a hack against a popular Web3 connector on Wednesday, numerous software experts confirmed on Thursday.

“Do not interact with ANY dApps until further notice,” warned Matthew Lilley, CTO of SushiSwap, in a post to X. “It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.”

The connector in question is “Ledger Connector,” a tool from the popular wallet provider that lets crypto users connect their mobile wallets to decentralized apps like exchanges and lending platforms.

As such, the attack doesn’t solely affect one dApp, but any that may use Ledger’s connect kit.

RED ALERT :

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

— I’m Software (@MatthewLilley) December 14, 2023

Shortly thereafter, Ledger confirmed that the malicious code had been identified and removed from its libraries and that user wallets had not been compromised.

“A genuine version is being pushed to replace the malicious file now,” the company stated.

Other X users like @bantg confirmed in advance that Ledger’s software library had been compromised and “replaced with a drainer,” with new fields like “minimalDrainValue” inserted into its code.

Given the frequency of new updates to the database in the last few hours, onlookers didn’t believe the real Ledger company was responsible.

According to @officer_cia – a hacker relations expert for Web3 security firm Remedy – some affected dApps included Sushi, as well as the DeFi dashboard Zapper, and “wallet hygiene” service Revoke.cash.

Stay Away From dApps, Expert Warn


Polygon Labs VP Hudson Jameson has acknowledged the hack and also warned crypto users to not use any dApps. “This is an ongoing situation and it is risky to use dApps currently if you don’t understand what backend libraries they use,” he said.

While visiting dApp websites alone won’t allow users’ funds to be drained, certain prompts from browser wallets – such as MetaMask – will invite users to mistakenly forfeit their assets to hackers.

“Does Ledger know about this? Yes they do and are working on it,” said Jameson. Nevertheless, projects using Ledger’s library will need to “update things” even after Ledger corrects for any malicious code.

This is the second time this year that Ledger has come under fire for poor security practices.

In May, Ledger was blasted for its “Ledger Recover” wallet service, which triggered concern that the accompanying firmware update would allow users’ private keys to be extracted from their wallets.

After criticism cooled off, the company debuted the product the late October.

The post Breaking: Ledger Removes Bug Allowing Popular Decentralized Applications To Be Compromised – Here’s the Latest appeared first on Cryptonews.

You May Also Like

Editor's Pick

Source: Ark Invest / Instagram ARK Investment Management, led by prominent investor Cathie Wood, has reduced its holdings in the Grayscale Bitcoin Trust (GBTC)...

Latest News

A super PAC that has overseen much of Ron DeSantis’s presidential operation has fired its CEO less than two weeks after the previous chief...

Latest News

WINDHAM, N.H. — It’s pouring rain Saturday morning as New Hampshire Gov. Chris Sununu (R) arrives at Mary Ann’s diner in Windham, fielding calls...

Stock

Popeyes is expanding its menu beyond chicken sandwiches — and it’s a permanent change this time. The fast-food chain announced Wednesday it’s adding five...

Disclaimer: Incomeinnovatorhub.com, its managers, its employees, and assigns (collectively “The Company”) do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2024 incomeinnovatorhub.com