Close Menu
    ledger war schnell beim fix des library exploit

    The Ledger Library exploit

    By on News

    The exploit that occurred yesterday in the Ledger Library, which is integrated into many crypto projects, has caused widespread concern and market instability. This event highlights the pervasive risks in the digital asset landscape, particularly in the emerging field of decentralised finance (DeFi).

    At the heart of the crisis is a critical vulnerability in the LedgerHQ library. This software component is used by various decentralised applications (Dapps). The vulnerability allowed malicious code to be injected into the front-end of many Dapps, putting users and their assets at significant risk.

    Ledger library as means to an end

    The type of vulnerability exploited is often referred to as a "supply chain attack". In this type of attack, the target is not the end product, but one of the components. Such attacks are particularly insidious because they can simultaneously target multiple systems that use the same compromised component. In this case, the Ledger library acted as a channel, rapidly spreading the malicious code across multiple platforms. This widespread impact highlights the interconnected nature of modern crypto platforms and the cascading effects that can result from a single point of failure.

    Ledger's response and aftermath

    In response to this crisis, Ledger, the maker of the popular hardware wallet and creator of the compromised library, acted quickly. They identified and removed the malicious version of their software and released an update to fix the vulnerability. However, the attackers were able to withdraw approximately $600,000 from wallets in the few hours of the vulnerability.

    Ledger's rapid response was exemplary in preventing further losses and restoring confidence in their systems. They urged users via X, formerly Twitter, to refrain from interacting with decentralised applications until the issue was fully resolved. However, there is no mention of the incident on Ledger's status page, official blog or developer portal.

    🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

    A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

    Your Ledger device and…

    — Ledger (@Ledger) December 14, 2023

    Dapp users should note that the library update does not only affect Ledger users, but must first be implemented by all projects. The risk to users is by no means eliminated. This incident serves as a reminder of the importance of strict security protocols and rapid crisis response mechanisms in the crypto industry.

    Share.

    About the author

    Since 2018, the editorial team at Crypto Valley Journal has been reporting from Zug - the heart of Switzerland’s Crypto Valley - on Bitcoin, cryptocurrency, blockchain, and regulatory developments in digital assets. Behind the publication’s collective editorial voice is a team of writers with backgrounds in financial markets, law, and technology.

    Related Articles