Analysts estimate the damage from the exploit at $610 000

Ledger CEO announces that the Ledger Connect Kit library vulnerability for DApps has been resolved

15.12.2023 - 07:49

340

2 min

What’s new? On December 14, an exploit was carried out on the Ledger Connect Kit Javascript library for connecting websites to Ledger hardware wallets. The company itself assured that the attack did not affect the integrity of Ledger hardware or Ledger Live and only affected third-party decentralized applications (DApps) that used the library. In his open letter, Ledger CEO Pascal Gauthier assured that the vulnerability had already been fixed.

Pascal Gauthier’s address

What else is known? Gauthier explained that the exploit was accomplished by phishing a attack on a former employee and injecting a malicious file into the package manager for Javascript code (NPMJS) shared between applications.

Together with partner WalletConnect, the company addressed the vulnerability by updating NPMJS to remove and deactivate the malicious code, which took about 40 minutes. The malicious file itself was active for about five hours, with a withdrawal period of about two hours, Ledger believes.

The company is now automatically updating the Ledger Connect Kit to version 1.1.8, which is safe to use. Gauthier also thanked USDT’s issuer Tether, Chainalysis analysts, and an anonymous blockchain researcher under the nickname ZachXBT for their cooperation. Thus, Tether froze the address of the hacker, as reported by the company’s CEO Paolo Ardoino. According to data from the analytics platform Arkham Intelligence, it contains cryptocurrencies worth $272 944.

Gauthier added that at Ledger, no individual can deploy code without review and approval from multiple parties. Any employee has their access to internal systems revoked upon termination, but there was an “unfortunate isolated incident” and the company will improve its security practices.

The company is also working with law enforcement to help recover stolen assets from affected DApps users. As ZachXBT noted, the damage from the exploit exceeded $610 000.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy