Ledger ConnectKit fell victim to a supply chain attack, resulting in a significant security compromise known as a “rug-pull.”
The vulnerability allows the injection of malicious code into various decentralized applications (dApps), posing a considerable threat to users and their assets.
Web3 security firm Blockaid identified LedgerHQ’s ConnectKit, particularly versions beyond 1.1.4, as the compromised package in this attack.
According to Ledger, the incident occurred when a former employee’s NPMJS account was compromised due to a phishing attempt earlier today.
The malicious code, redirected to a hacker’s wallet using a rogue WalletConnect project, is under investigation. Ledger has pledged to collaborate with law enforcement and file a formal complaint to identify and apprehend the perpetrator.
The supply chain attack on Ledger ConnectKit had repercussions across multiple DeFi protocols. Kyber, SushiSwap, RevokeCash, and Zapper were identified as vulnerable decentralized exchanges by Blockaid.
In response to the threat, Kyber and RevokeCash immediately deactivated their front ends. This vulnerability was discovered shortly after KyberSwap was hacked, resulting in the loss of around $46 million in crypto.
Blockaid estimates that nearly $150,000 was lost within a few hours, emphasizing the attack’s rapid and widespread impact.
While Blockaid assured users that its wallets were secure, the consequences of the hack could be detrimental to the broader Web3 ecosystem.
The compromised Ledger ConnectKit software library was hosted on a specific Content Delivery Network (CDN), which was where the vulnerability was discovered.
Ledger acknowledged the breach and assured customers that a legitimate version of the Ledger ConnectKit would be distributed to replace the malicious file.
A software patch has been developed in response to the attack to address the identified issue. The incident highlights the challenges and risks associated with supply chain attacks in the decentralized space, emphasizing the importance of increased vigilance and security measures.