Popular hardware wallet manufacturer General ledger have advised users not to connect to dApps for the next 24 hours after pushing an urgent fix to fix a compromised version of their Ledger Connect Kit library.
This library – used by the likes of MetaMask, Coinbase, Lido and others to connect their services to hardware wallets – was compromised after a phishing attack on an ex-Ledger employee, in which the hacker published a malicious file that compromised the wallet of users emptied.
A secure version of Ledger Connect Kit has now been automatically distributed to users, with Ledger publishing a timeline of events and their initial research.
FINAL TIMELINE AND UPDATE FOR CUSTOMERS:
16:49 CET:
Ledger Connect Kit authentic version 1.1.8 is now propagated automatically. We recommend that you wait 24 hours before using the Ledger Connect Kit again.
The investigation continues. Here’s the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023
When was the threat identified and resolved?
The threat was publicly identified at 12:30 GMT today by Matthew Lilley, CTO of decentralized exchange Sushi (formerly SushiSwap).
In a now-deleted tweet, MetaMask announced that they had pushed out an update to their service shortly afterwards to protect their users, while a host of other web3 services announced whether or not they were affected.
Ledger announced a fix at 1:35 PM GMT and published a timeline of events at 3:49 PM GMT, stating that they had implemented a fix within 40 minutes of becoming aware of the problem, and that although the malicious file was live for about 5 minutes was hours, “the time frame in which funds were siphoned off was limited to a period of less than two hours.”
???????????? RED ALARM ????????????:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised, allowing the injection of malicious code that affects numerous dApps.
— I am Software ???????? (@MatthewLilley) December 14, 2023
How can I protect my assets?
If you are using a Ledger hardware wallet, or one of the popular services that use Ledger Connect Kit (including MetaMask, Coinbase, Lido, and others), as recommended by Ledger, do not connect to or use any dApps for the next 24 hours.
Many of the most popular Web3 services have published statements about whether or not they are affected. If you’re concerned, check the latest information from the services you use before linking your wallet.
To help prevent future attacks, Ledger has recommended using Clear Signing where possible – their simple method for signing transactions – and to “use an additional Ledger mint wallet” if you need to sign transactions blindly.
Ledger has stated that they are “actively talking to customers whose funds may have been affected,” and will work proactively to “help those individuals at this time.”
Want more? Connect with NFT Plazas
Sign up for the weekly newsletter
follow us on twitter
Like us on Facebook
Follow us on Instagram
*All investment/financial opinions expressed by NFT Plazas are from the personal research and experience of our site moderators and are intended as educational materials only. Individuals are required to fully research any product before making any form of investment.