登入
註冊
掃描 QR Code 下載 APP
更多下載方式
平台通知
交易行情
沒有新通知
更多
選擇語言及地區
简体中文
English
Tiếng Việt
繁體中文
Español
Русский
Français (Afrique)
Português (Portugal)
ไทย
Indonesia
日本語
بالعربية
Українська
Português (Brasil)
漲跌顏色
紅漲綠跌
綠漲紅跌
漲跌幅起始時間
24小時制
UTC 00:00
UTC+8 00:00
Gate.io
BLOG
“Stop Using Dapps!” Ledger Crypto Wallet...
“Stop Using Dapps!” Ledger Crypto Wallet’s Connect Kit Leaves Users Exposed
2023-12-29, 09:09
[//]:content-type-MARKDOWN-DONOT-DELETE ![](https://gimg2.gateimg.com/image/article/1703840429RDZZ 1.jpeg) ## TL; DR An exploit of Ledger Crypto Wallet’s Connect Kit resulted in a theft of digital assets worth over $500,000. <a href="/zh-tw/price/tether-usdt" target="_blank" class="blog_inner_link">Tether</a> froze the hacker’s wallet in a bid to minimize the loss of crypto assets from the hack. Ledger, Sushiswap and Blockaid gave their users directions on what to do after the crypto exploit. ## Introduction Ledger has become the latest victim of crypto hacking, losing over $500,000 worth of digital assets. To deal with the hacking event the firm coordinated with various crypto projects to reduce the level of damage in terms of crypto asset loss. Today, we analyze the cause of the Ledger hack and its effect on cryptocurrency users and other organizations. We will also assess how Ledger and its partners mitigated the potential loss. ## Ledger Supply Chain Attack Ledger Connect Kit was compromised by yet unknown crypto hackers resulting in a loss of more than $500,000 worth of cryptocurrencies. Following that incident Ledger warned its users not to connect web3 dApps as that could lead to further loss of digital assets. Basically, the attacker pushed a Java_script_ wallet drainer into its 'Ledger dApp Connect Kit' library leading to the theft of both NFTs and cryptocurrencies. The [Ledger dApps Connect Kit](https://github.com/LedgerHQ/connect-kit/tree/main/packages/connect-kit-loader "Ledger dApps Connect Kit") enables web3 apps to <a href="/zh-tw/price/link-ln" target="_blank" class="blog_inner_link">LINK</a> with Ledger hardware wallets. The Ledger wallet enables users to buy, transfer and store their digital assets, including NFTs and cryptocurrencies. With it, users can store their digital assets offline thereby reducing the chances of exploits. The wallet supports many digital assets existing on different blockchains like <a href="/zh-tw/price/ethereum-eth" target="_blank" class="blog_inner_link">Ethereum</a> and <a href="/zh-tw/price/bitcoin-btc" target="_blank" class="blog_inner_link">Bitcoin</a>. The reason why Ledger warned its users to avoid connecting to various web3 dapps it partnered with is that the attacker compromised its kit to include a malicious code, a wallet drainer. Nonetheless, it is important to note that the wallet drainer can only steal the assets if the user connects his/her wallet to the related dapps. According to a [notice on Github](https://github.com/LedgerHQ/connect-kit/issues/29 "notice on Github") the malicious code affected versions 1.1.5 through 1.1.7 of the Connect Kit. The code was added through a compromised NPM account. Therefore, the users had to stop connecting to associated web3 dapps until Ledger restored the safe version of the Connect Kit. Ledger also warned the users about crypto phishing attacks that were ongoing during that period as other attackers aimed at taking advantage of the existing situation. At the same time, the users were advised against sharing their seed phrases or other essential information related to their wallets. Read also: [Top Crypto Scams to Avoid](https://www.gate.io/blog_detail/674/top-crypto-scams-to-avoid "Top Crypto Scams to Avoid") Soon after noticing the attack on its connect kit, Ledger communicated with its users, warning them of the potential danger. For example, the company said, “We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised.” Later on, it provided an update of the situation. It posted, “The malicious version of the file was replaced with the genuine version at around 2:35 pm CET. The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready.” Related news: [Why Crypto Theft Is on The Rise](https://www.gate.io/uk/blog_detail/2237 "Why Crypto Theft Is on The Rise") It added, “In the meantime, we’d like to remind the community to always Clear Sign your transactions - remember that the addresses and the information presented on your Ledger screen are the only genuine information. If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.” ## The Reaction of the Other Parties After the news of the Ledger Wallet’s Connect Kit crypto attack Ledger’s partners actively warned their users to prevent further thefts. Blockaid, a Web3 security firm, was among the first players to advise the crypto community about the supply chain attack. It tweeted, “We've detected a potential supply chain attack on ledger connect kit. The attacker injected a wallet-draining payload into the popular NPM package.” It added, “Dapps using versions 1.1.4 and above of Ledger's connect-kit, including <a href="/zh-tw/price/sushi-sushi" target="_blank" class="blog_inner_link">Sushi</a>.com and Hey.xyz, were affected.” Hudson Jameson, Ethereum core developer liaison, further warned hacked crypto users to proceed with care. [He said](https://twitter.com/hudsonjameson/status/1735283602340843757 "He said"), "It is risky to use dapps currently if you don't understand what backend libraries they use. Even after Ledger corrects the bad code in their library, projects using and deploying that library will need to update things before it is safe to use dapps that use Ledger's web3 libraries." Metamask [also advised its users](https://twitter.com/MetaMask/status/1735291650614653364?s=20 "also advised its users") on how to proceed after the crypto exploit. It posted, “Ledger users: @blockaid has identified an attack on Ledger Connect Kit. Please stop using dApps.” It further stated, “Please stop using dApps. If you’re a MetaMask user: Please ensure that you have the Blockaid feature turned on in MetaMask Extension before performing any transactions on MetaMask Portfolio. The MetaMask Portfolio team is on it and has a fix in place that will be rolled out today.” Sushiswap also warned its users to take careful steps in the wake of the crypto exploit. It advised them not to connect with any decentralized apps. It posted on X, “If you have the Sushi page open and see an unexpected 'Connect Wallet' pop-up, DO NOT interact or connect your wallet." Matthew Lilley, Sushi CTO, was more explicit. He tweeted, “**Do not interact with ANY dApps until further notice.**” There are several decentralized finance protocols like Sushi, Metamask, Phantom, <a href="/zh-tw/price/balancer-bal" target="_blank" class="blog_inner_link">Balancer</a>, Lido, Coinbase and Zapper that use Ledger [Connect Kit](https://developers.ledger.com/docs/connectivity/connect-kit "Connect Kit") software to link decentralized applications with their products. Therefore, once a crypto hacker accesses the front end of a website or application he/she can alter the functions which the users see to divert their funds to the wrong destinations. Ledger managed to correct the system after about 40 minutes from the time it became aware of the exploit. Ledger gave an update of how the crypto exploit occurred. It stated that its former employee was a victim of a crypto phishing attack which enabled the hackers to insert the malicious code into its Connect Kit. In a bid to recover the loot Tether, the stablecoin issuer, disabled the hacker’s digital wallet. Read also: [The Top 7 Best Crypto Wallets](https://www.gate.io/blog_detail/1280/the-top-7-best-crypto-wallets "The Top 7 Best Crypto Wallets") ## Conclusion A recent crypto hack resulted in malicious actors stealing digital assets worth more than $600,000. That followed the hacking of the Ledger dApps Connect Kit after a phishing attack. After the hacking incident several crypto firms including Ledger, Sushiswap and Blockaid, warned crypto users to avoid using decentralized applications connected to the Ledger dApps Connect Kit. ## FAQs about Ledger Wallet? ### What is Ledger? Ledger is a company that owns ledger cryptocurrency wallets which are devices used for storing digital assets. The Ledger ecosystem provides people with the opportunity to buy, store and sell digital assets. ### Which crypto wallet is the most secure? Most people believe that Trezor is the safest crypto wallet on the market at the moment. Nonetheless, other hardware crypto wallets like Ledger are also very secure. ### How to keep your crypto safe? You can keep your crypto safe by storing it in secure cryptocurrency exchanges like Gate.io. Similarly, you can store digital assets in cold wallets such as Trezor and Ledger. <div class="blog-details-info"> <div>Author:** Mashell C.**, Gate.io Researcher <div class="info-tips">\*This article represents only the views of the researcher and does not constitute any investment suggestions. <div>\*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all cases, legal action will be taken due to copyright infringement. </div>
分享一下
目錄
TL;DR
Introduction
Ledger Supply Chain Attack
The Reaction of the Other Parties
Conclusion
FAQs about Ledger Wallet
荣誉积分榜
完成动态任务,升级荣誉等级
马上参与
相關文章
行情資訊
科普:从比特币到以太坊-为什么说以太坊是区块链2.0
2021-06-20, 09:30
行情資訊
史上最大空投可能来临:MetaMask即将推出Token
2022-03-18, 04:53
行情資訊
流动性挖矿科普:流动性有多重要?从做市商谈起
2021-07-19, 07:36