Ledger Hack 2023-12-14
On 14th December 2023, one of the Ledger's libraries, specifically the '@ledgerhq/connect-kit npm' package was compromised by a malicious actor. The attacker replaced the npm package with malicious code to drain funds from user wallets.
Similar drainers have been used for phishing purposes through social media, however this specific drainer would make user believe the prompt came from connected dApp itself, making it highly dangerous.
The attack is carried out through requesting the users to sign a requested transaction, once signed, their funds can be drained.
Vulnerability Cause
From an outsider's point of view, the cause of attack could be that either the npmjs account was compromised or the authentication token for the package owner was compromised.
However as an update from Ledger on December 14th, the incident occurred because a former employee named Jun fell victim to a phishing attack, where Ledger overlooked revoking access rights for his account,which provided the attacker with access to their NPMJS account with privileged access control.
The attacker published a malicious version of the Ledger Connect Kit (specifically versions 1.1.5, 1.1.6, and 1.1.7), effectively using modified WalletConnect code to redirect funds to their own wallet after the user signed a poisonous transaction.[1]
The redirection is done through a malicious WalletConnect project, a software company offering Web3 SDKs that facilitates the connection of cryptocurrency wallets to decentralized applications (dApps) on the web.
Impact
Various protocols and applications that utilize this library has been affected. With this library being used, attacker has remote code execution capabilities and potentially take full control of user funds depending on the affected protocol's owner privileges.
The window of the compromised kit being live was around 5 hours, leading to an estimated loss of $600,000 from various users.
Known affected protocols
Mitigation methods
The Ledger Team replaced the compromised kit with an authentic version of the library.
If you're a user:
- Always check if the payload of the transaction is safe
- Never sign unknown transactions
- Clear browser cache to avoid fetching infected libraries
- Avoid connecting to dApps that uses the infected npm package
If you're a protocol:
- Check your dependencies for said compromised package
- Notify users of the security breach responsibly
- Update libraries after patch
References
- https://twitter.com/ChainLight_io/status/1735311811719860378
- https://twitter.com/bantg/status/1735279127752540465
- https://olympixai.medium.com/ledger-wallet-kit-security-incident-hack-analysis-4fc528b99016
- ↑ - This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account. The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). Posted by @Ledger, 2023-12-14, on X (formerly Twitter).