“Drainer” Vulnerability Found in Ledger ConnectKit, Web3 Apps Exposed

A security incident occurred in the Web3 domain, compromising the integrity of the Ledger ConnectKit library, which is a vital component for connecting Ledger Live with various applications. The attackers replaced the library with a ‘drainer’ script, presenting a significant risk to user funds.

ConnectKit, the compromised package, automatically loads a JavaScript script from cdn.jsdelivr.net into the global scope. This script includes a drainer, making the frontend of applications utilizing this library vulnerable, especially after user authorization. Reports suggest that the attackers modified the wallet connection modal window, exposing all wallet owners to potential risks, not just those utilizing Ledger Live.

Prominent cryptocurrency security experts such as Banteg have verified the compromise of the Ledger library and are warning against engaging with decentralized applications (dApps) until further details are clarified. The vulnerability seems to extend to the ledger connect-kit-loader as well, as it specifies the dependency in a loose manner.

The potential consequences of the attack are far-reaching, evident in a compilation of affected libraries and applications utilizing the username. The recommendation from Ledger to use connect-kit loader for loading connect-kit compounds the problem, as even fixed versions of the loader retrieve the latest edition of connect-kit, resulting in widespread infiltration.

Attackers have successfully compromised a substantial number of libraries by specifically targeting the connect-kit. Ledger recognizes version 1.1.4 as the latest verified secure release but deems all releases up to 1.1.7, posted on the day of the attack, as compromised.

Earlier today, the user interfaces of various decentralized applications like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash were compromised in connection with the Ledger Connect exploit. Ledger has since announced that the exploit has been addressed, attributing the issue to a “malicious version of the Ledger Connect Kit.”

This security incident highlights the crucial significance of implementing robust cybersecurity measures in the ever-changing landscape of Web 3.0. Even established tools like Ledger’s library are vulnerable to sophisticated cyber-attacks in this dynamic environment.

Several decentralized applications (DApps) have temporarily deactivated their front-end user interface for Ledger Connect in response to the exploit. On December 14, developers of the non-fungible token (NFT) platform OpenSea advised users not to connect to any DApps using Ledger Connect until further notice.

In the meantime, the decentralized finance (DeFi) protocol Lido Finance announced that its front-ends have been disabled as a precautionary measure while the investigation into the Ledger Connect issue is ongoing.

Preliminary reports claim that the attack has drained at least $484,000 in digital assets. Tether, the issuer of the Tether (USDT) stablecoin, has since frozen the exploiter’s address.