DeFi Disruption: Former Insider Unleashes Code, Draining $484K from Ledger; Exploiting Chaos

In a recent cyber attack, malicious actors successfully absconded with $484,000 by implanting destructive code into the Github library associated with the Connect Kit—a pivotal component of blockchain software maintained by Ledger, a prominent crypto wallet firm. The aftermath of this security breach reverberated across various decentralized finance (DeFi) protocols that heavily rely on the compromised library, prompting urgent advisories urging users to refrain from interacting with decentralized apps (dApps) until the affected protocols receive essential updates.

A hacker attacked #Ledger and has stolen ~$484K assets.#LedgerExploiter transferred 4.334 $ETH to #AngelDrainer.

And the #AngelDrainer is also receiving assets currently and holds $363K assets.https://t.co/ZG5SRlKBjW pic.twitter.com/RK9aPyAjEE

— Lookonchain (@lookonchain) December 14, 2023

The Connect Kit, a foundational code streamlining the interaction between DeFi protocols and crypto hardware wallets, casts a shadow of potential repercussions on the front-end operations of numerous protocols employing it. This includes well-known platforms such as Sushi, Lido, Metamask, and Coinbase.

In an official post on Thursday, Ledger openly acknowledged the incident, revealing that one of its employees fell prey to a "phishing attack." Subsequently, the assailant unleashed a malevolent version of the Ledger Connect Kit into the public domain. A Ledger spokesperson assured Bitsday that the company promptly identified and removed the malicious iteration, specifying that the window during which funds were drained lasted less than two hours.

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about…

— Ledger (@Ledger) December 14, 2023

Despite Ledger's swift response in fortifying its code, Ido Ben-Natan, the CEO of blockchain security firm Blockaid, underscored persisting vulnerabilities. Ben-Natan noted that numerous websites remain compromised, leaving users in continued jeopardy. To achieve comprehensive risk mitigation, all protocols utilizing Ledger's Connect Kit must undergo manual updates of their library versions. Meanwhile, specific protocols, notably revoke.cash—a service instrumental in removing permissions from DeFi protocols—remain exposed to potential exploits.

In response to the ongoing situation, Ben-Natan issued a caution against engaging with revoke.cash, emphasizing that the financial impact extends to hundreds of thousands of dollars over the past two hours. This incident adds to a series of DeFi-related breaches throughout the year, with a staggering $303 million pilfered in July alone through exploits targeting Curve Finance and Multichain. Typically, users turn to platforms like revoke.cash to revoke permissions following such incidents. However, this particular compromise stands out as it primarily affects the front-end operations of websites rather than hot wallets, potentially subjecting revoke.cash users to connect their wallets with a malicious token drainer.

In a commendable response, MetaMask swiftly deployed a fix, eradicating the malicious code within two hours of the hack. This exploit underscores the inherent fragility of decentralized applications, shedding light on the susceptibility introduced by the utilization of code from multiple providers like Ledger. The incident also rekindles memories of Ledger's past security lapses, including a significant customer database leak in 2020 and controversies surrounding the security claims of its hardware products.

Read More: MetaMask App Store Update: Swift Resolution