The potential hack arrives at a time of growing token and coin activity after a market recovery.
- Major decentralized exchanges, NFT markets and games may be compromised.
- Ledger users are advised to avoid their hardware wallets until the situation clears.
- A compromised library and JS injection means any app can try to steal crypto tokens, coins, or NFT.
Updated December 14: Ledger users need a small update to avoid asset-draining apps. The issue has been resolved just hours after reporting, and so far there are no news of missing assets. Users must be updated to the latest version of Ledger software and clear their cache for previous code that may generate unwanted transactions.
The ledger issue is now fixed.
To make sure you don't have the malicious library cached, go to https://t.co/MSVgii7Ufk and ensure the version is 1.1.8.
If it's not, clear your cache. chrome- F12> Chrome Developer Tools > Application tab > Storage in left tree> Clear site data. pic.twitter.com/BtNUiO4vXF
— Mudit Gupta (@Mudit__Gupta) December 14, 2023
One of the biggest obstacles to Web3 adoption is the presence of bad actors. Among legitimate apps and games, players can encounter various types of malicious software that aims to steal assets.
Now, even the most secure hardware wallet, Ledger, has been affected by an exploit that allows apps to drain all assets, including tokens, coins and NFT.
As of December 14, multiple apps are affected and the final list is unknown.
⚠️⚠️⚠️⚠️⚠️⚠️
Warning: Multiple popular crypto applications that integrate with Ledger's ConnectKit library, including https://t.co/MkINKOiX5N have been compromised. We temporarily took the website offline as we're investigating further. We recommend not using *any* crypto website…— Revoke.cash (@RevokeCash) December 14, 2023
All users are urged to avoid using Ledger until the situation is fixed. Malicious software can make a call to a wallet and create a transaction even without the user’s explicit consent.
The exploit situation is still developing. Immediate information shows some of the leading exchanges such as SushiSwap may be compromised.
The potential exploit arrives at a time of growing token and coin prices, as well as increased user activity on Ethereum, Solana and other networks. Potentially, the malicious JS code may be injected into multiple apps, so none are considered safe.
Avoid Web3 Frontends and Apps Until Ledger Gives the All-Clear
App frontends in Web3 can also affect online wallets like MetaMask. After the compromised library for Ledger, all Web3 apps, NFT sales and other frontends are considered risky.
Ledger Library Exploit Explainer for Average Folks
What is going on with the recent alerts not to use dapps?
A library that is used by many dapps that is maintained by Ledger was compromised and a wallet drainer was added.
What do I do as a normal user?
Do not interact with… https://t.co/exre0QfykD
— Hudson Jameson (@hudsonjameson) December 14, 2023
Ledger is usually used as a long-term storage device, not usually connected as a hot wallet. For short-term NFT sales or game connections, users may build a new wallet with just the amount of assets for planned transactions.
Other Web3 games and apps try to do away with a wallet connection, instead using in-game wrapped assets. Wallets remain a highly secure technology, but the risk also lies in interacting with smart contracts and other features not immediately visible to the user.
End users may also receive a prompt to sign a transaction. The best approach to use Web3 apps is to turn on the feature for approving each transaction manually. Apps that use wallet-as-a-service or in-game assets are safer from wallet drainers.
