‘Wallet drainer’ code added to Ledger library has crypto on edge
Users of crypto web apps are being warned to avoid the platforms until investigations into a potential cybersecurity incident affecting hardware wallet Ledger play out.
Notices of what’s believed to be malicious code were shared on social media Thursday morning, found in software libraries for Ledger’s ConnectKit, which connects blockchain apps with Ledger devices.
Decentralized exchange SushiSwap took its front-end web app offline soon after the warnings.
“We’ve identified a critical issue the ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps,” SushiSwap posted.
“If you have the Sushi page open and see an unexpected ‘Connect Wallet’ pop-up, DO NOT interact or connect your wallet. We’re actively working to remove the ledger wallet connector. For your safety, please refrain from engaging with any dApps until further notice. Stay tuned for updates.”
Revoke.cash, a service which allows crypto users to take back transaction signing powers previously given to Web3 apps, also took its front-end offline to avoid users being duped.
⚠️⚠️⚠️⚠️⚠️⚠️
Warning: Multiple popular crypto applications that integrate with Ledger’s ConnectKit library, including https://t.co/MkINKOiX5N have been compromised. We temporarily took the website offline as we’re investigating further. We recommend not using *any* crypto website…— Revoke.cash (@RevokeCash) December 14, 2023
Blockworks has reached out to Ledger to learn more.
For now, users are advised to steer clear of front-end apps for crypto platforms. Early indications are that funds cannot be outright stolen from Ledger devices if no further actions are taken.
Front-end web apps may instead display malicious transactions for signing, which when confirmed could result in lost funds.
Still, out of an abundance of caution, it’s best to avoid crypto web apps altogether, experts said.
This is a developing story and will be updated.