Hardware Wallet Ledger Connect Kit library hacked

qwizzie

Well-known member

Multiple decentralized applications using Ledger’s connector library have been compromised, including SushiSwap and Revoke.cash. Ledger claims the issue has been fixed.

The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised on Dec. 14. Nearly three hours after the security breach was discovered, Ledger reported that the malicious version of the file had been replaced with its genuine version around 1:35 pm UTC.

This raises questions :

* How can one developer that stopped working for Ledger a long time ago still have access to NPM and not even need a second review & ACK from another developer ? (basically that Ledger developer had God mode all this time and got his account hacked through a phishing attack)
* Are there developers currently employed with DCG or developers that were either let go or who rage quit in the past, currently having the same kind of NPM access (or other Content Delivery Network access, Docker Hub or Github for example), as this Ledger developer ?
* Are Platform Dapps depending on third party libraries that could get exploited the same way, as the Ledger Connect Kit library got hacked / exploited (through a successfull phishing attack on one specific developer), or is DCG in full control of the libraries with regards to Platform Dapps ?
* Was Dash Masternode Tool (DMT) also at risk during the exploitation of this Ledger Connect Kit library (3 to 5 hours) ? Or is DMT operating without this library? (asking Bertrand --> @Bertrand256)
Since DMT only deal with Dash and not with Dapps, i doubt it. But i would still like to know if there is a possible dependency on the Ledger Connect Kit library.
 
Last edited:
I can comment.
The package internally loads a script located at cdn.jsdelivr.net with drainer into the global js scope. The js problematic code https://github.com/LedgerHQ/connect-kit/blob/main/packages/connect-kit-loader/src/index.ts#L83C49-L83C68 where the import is located in the library itself.
Hence, if you are using some library to handle Ledger Live connection - your frontend is not secure and users are susceptible to drainer after authorization (afaik replaced the wallet connection modal window, so any wallet owners are at risk, not just those using Ledger Live).
DMT as far as I understand does not use this js, therefore is not susceptible to this hack.
Only web3 third party applications dex, exchanges, etc. are vulnerable to this hack
 
I can comment.
The package internally loads a script located at cdn.jsdelivr.net with drainer into the global js scope. The js problematic code https://github.com/LedgerHQ/connect-kit/blob/main/packages/connect-kit-loader/src/index.ts#L83C49-L83C68 where the import is located in the library itself.
Hence, if you are using some library to handle Ledger Live connection - your frontend is not secure and users are susceptible to drainer after authorization (afaik replaced the wallet connection modal window, so any wallet owners are at risk, not just those using Ledger Live).
DMT as far as I understand does not use this js, therefore is not susceptible to this hack.
Only web3 third party applications dex, exchanges, etc. are vulnerable to this hack
I wonder if the Dash Incubator web wallet has a vulnerability there. I suspect not, but since its specifically a web wallet i am not totally sure.
 
Back
Top