The problem also impacted wallet provider MetaMask. Ledger issued a patch to address the problem but advised customers to wait 24 hours before using its connector library again. According to the Linea team, a zero-knowledge rollup by Consensys, the assault on Ledger’s connector library may impact the whole Ethereum Virtual Machine (EVM) ecosystem. The hacker specifically targeted the Ledger connection library. The creators developed this library to streamline communication between Ledger hardware wallets and various decentralized apps (DApps). The security breach has also had an impact on wallet provider MetaMask.
To all web3 users,
It looks like this vulnerability is affecting multiple dapps across the whole EVM ecosystem. It is very risky to interact with any dapps until the issue is properly addressed.
Stay safe out there!— Linea (@LineaBuild) December 14 2023
According to a tweet, MetaMask has released an update to correct the problem with its MetaMask Portfolio. “Please ensure that you have the Blockaid feature turned on in MetaMask Extension before performing any transactions on MetaMask Portfolio,” the business said in a message on X. Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash are among the other protocols which can impacted. According to blockchain security firm CertiK, every DApp that imports the ledger CDN would immediately execute the drainer code, pushing victims to connect via whatever wallet they support.
Many people in the crypto world utilize the Ledger hardware wallet. Its connector library is an essential component that connects the hardware to multiple DApps. The hack of this library could have a significant impact on many EVM users and transactions. After a phishing attack on a former Ledger employee led to the compromise of their NPMJS account, the hackers launched the attack. “The attacker made available a malicious version of the Ledger Connect Kit (versions 1.1.5, 1.1.6, and 1.1.7).” The malicious code rerouted funds to a hacker wallet using an illegal WalletConnect project,” the business said on Twitter. After finding the problem, a solution was provided about 40 minutes later. Users are advised to wait 24 hours before utilizing the Ledger Connect Kit again.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…— Ledger (@Ledger) December 14, 2023
The hacker took assets worth almost $484,000, according to blockchain analytics firm Lookonchain, but the impact of the security breach might be worse, according to Ledger.