'Stop Using Dapps': Ledger Library 'Compromised' With Wallet Drainer

Hardware wallet manufacturer Ledger has warned users not to connect to decentralized applications (dapps), after a malicious version of the Ledger Connect Kit was identified.

A spokesperson for Ledger told Decrypt that, “We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment.” The spokesperson added that Ledger devices and its Ledger Live app were not compromised, and that the firm “will keep users informed as the situation evolves.”

Software wallet developer MetaMask also warned users to "stop using dapps" as news of the attack broke.

The compromised version of the Connect Kit, a library that enables the Ledger hardware wallet to connect with dapps, was first identified by developers posting on Twitter.

Web3 security firm BlockAid reported that, "The attacker injected a wallet draining payload" into the ledgerconnect kit's NPM package, adding that dapps using versions 1.1.4 and above of Ledger's connect-kit, including Sushi.com and Hey.xyz, were affected.

SushiSwap CTO Matthew Lilley castigated Ledger for a “chain of terrible blunders,” explaining that, “a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.”

He added that users should avoid using any dapps “until their teams confirm that they have mitigated the attack.”

Ethereum core developer liaison Hudson Jameson explained that, "A library that is used by many dapps that is maintained by Ledger was compromised and a wallet drainer was added." Reiterating that, "it is risky to use dapps currently if you don't understand what backend libraries they use," Jameson added that, "Even after Ledger corrects the bad code in their library, projects using and deploying that library will need to update things before it is safe to use dapps that use Ledger's web3 libraries."

Ledger has faced criticism over its security in recent months, with the firm's voluntary ID-based Recover service drawing the ire of crypto users.

The service, which is unrelated to today's attack, splits up the user's seed phrase and stores it with three separate custodians, requiring the user to provide their passport or national identity card as ID. With irate users dubbing the service a "backdoor," Ledger's co-founder Éric Larchevêque dubbed the rollout of the service, "a total PR failure, but absolutely not a technical one."

In November, a fraudulent Ledger app on the Microsoft App Store drained nearly $1 million from unsuspecting customers, while in 2020 the firm faced criticism after a customer email database was hacked, with over a million user emails compromised.