Ledger pushes update to fix compromised library as users warned to hold off connecting to dApps
Onchain sleuths said the compromised library was replaced with a drainer due to CDN breach.
Crypto hardware wallet provider Ledger confirmed that its ConnectKit library was compromised.
“We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves. “
Banteg, one of the lead developers of Yearn.finance, stated:
“Ledger library confirmed compromised and replaced with a drainer. wait out interacting with any [decentralized applications] till things become clearer.”
The developer furthered that:
“The attackers infiltrate a shitton of libraries by compromising just the connect-kit. last known version coming from ledger is 1.1.4. three releases up to 1.1.7 were posted today, all should be considered compromised.”
Several DeFi projects, including SushiSwap and Revoke Cash, confirmed that the incident impacted them and advised their users to refrain from engaging with their frontend until further notice.
“We’ve identified a critical issue the ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps,” SushiSwap wrote.
Meanwhile, Hudson James, a VP at Polygon Labs, rehashed the warnings and urged crypto users not to interact with any dApp front ends on websites for now. He added:
“This is an ongoing situation and it is risky to use dapps currently if you don’t understand what backend libraries they use.”