Decentralized Finance (DeFi) is gaining popularity, and user security is more crucial than ever. Recently, a security alert was issued by Matthew Lilley, Chief Technical Officer (CTO) of the DeFi protocol Sushi, regarding a front-end attack targeting the Ledger Connect Kit, a vital tool in the cryptocurrency industry.
A front-end attack in the DeFi world refers to a malicious intrusion into the visible part of an application or website. The Ledger Connect Kit, on the other hand, is a tool that allows users to connect to their cryptocurrency wallets using Ledger's security hardware.
Between 11 AM and 12 PM (UTC), a phishing attack—attempting online fraud to obtain confidential information—affected a former Ledger employee. The hacker gained access to their NPMJS account, a package manager for JavaScript. NPMJS functions as an online library where developers find specialized tools, called "packages," to build and manage websites or applications. These packages are written in a programming language named JavaScript, widely used for web development. A "NPMJS account" is a personal space for a developer to store their tools or use those created by others. When the hacker accesses this account, they can manipulate these tools, posing security risks for the websites or applications using them.
Exploiting this vulnerability, the hacker modified the Ledger Connect Kit by integrating malicious code. The impacted versions were 1.1.5, 1.1.6, and 1.1.7.
This fraudulent code used a fake login window to redirect funds to a wallet controlled by the attacker, as illustrated below:
While this attack didn't directly access users' wallets, its impact was substantial. Several applications using the Ledger Connect Kit, including sites like Revoke.Cash, were affected. Revoke.Cash, which revokes permissions granted to smart contracts, reacted by going offline. Following the discovery of this vulnerability, Ledger promptly modified the code and released an update. However, the hacker managed to divert around $480,000 before the loophole was fixed.
Ledger, along with WalletConnect and other partners, successfully traced the hacker's wallet address through Chainalysis. Tether, the USDT issuer, even froze tokens associated with that address. WalletConnect wasn't affected by this attack, as confirmed by the company on their official account.
A complaint has been filed, and Ledger is closely collaborating with authorities to identify and prosecute the culprits. This attack underscores the importance of vigilance and caution when using DeFi services and crypto wallets. On our Discord Summit, we provide the latest instructions for Ledger users to help safeguard their assets and avoid falling victim to this recent security flaw.
Sources:
