The exploit that occurred yesterday in the Ledger Library, which is integrated into many crypto projects, has caused widespread concern and market instability. This event highlights the pervasive risks in the digital asset landscape, particularly in the emerging field of decentralised finance (DeFi).
At the heart of the crisis is a critical vulnerability in the LedgerHQ library. This software component is used by various decentralised applications (Dapps). The vulnerability allowed malicious code to be injected into the front-end of many Dapps, putting users and their assets at significant risk.
Ledger library as means to an end
The type of vulnerability exploited is often referred to as a "supply chain attack". In this type of attack, the target is not the end product, but one of the components. Such attacks are particularly insidious because they can simultaneously target multiple systems that use the same compromised component. In this case, the Ledger library acted as a channel, rapidly spreading the malicious code across multiple platforms. This widespread impact highlights the interconnected nature of modern crypto platforms and the cascading effects that can result from a single point of failure.
ledger asks to use connect-kit loader to load connect-kit, but even if you follow the best practices and pin the version of the loader loader, it fetches the latest version of connect-kit >=1.0.0, <2.0.0.
this has allowed the attackers to infiltrate a shitton of libraries by…
— banteg (@bantg) December 14, 2023
Ledger's response and aftermath
In response to this crisis, Ledger, the maker of the popular hardware wallet and creator of the compromised library, acted quickly. They identified and removed the malicious version of their software and released an update to fix the vulnerability. However, the attackers were able to withdraw approximately $600,000 from wallets in the few hours of the vulnerability.
Ledger's rapid response was exemplary in preventing further losses and restoring confidence in their systems. They urged users via X, formerly Twitter, to refrain from interacting with decentralised applications until the issue was fully resolved. However, there is no mention of the incident on Ledger's status page, official blog or developer portal.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
Dapp users should note that the library update does not only affect Ledger users, but must first be implemented by all projects. The risk to users is by no means eliminated. This incident serves as a reminder of the importance of strict security protocols and rapid crisis response mechanisms in the crypto industry.