Ledger Push Connect Kit Fix, Recommend 24 Hour Pause

Popular hardware wallet manufacturer Ledger have advised users not to connect to dApps for the next 24 hours after pushing an urgent fix to rectify a compromised version of their Ledger Connect Kit library.

This library – which is used by the likes MetaMask, Coinbase, Lido and others to connect their services to hardware wallets – was compromised following a phishing attack on an ex-Ledger employee, with the hacker publishing a malicious file that drained users wallets.

A secure version of Ledger Connect Kit has now been distributed to users automatically, with Ledger publishing a timeline of events and their initial investigation.

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about…

— Ledger (@Ledger) December 14, 2023

When was the threat identified and fixed?

The threat was publicly identified by Matthew Lilley, CTO of decentralised exchange Sushi (formerly SushiSwap), at 12:30pm GMT today.

In a now-deleted tweet, MetaMask announced they’d pushed an update to their service to protect their users shortly thereafter, with a host of other web3 services announcing whether or not they were affected.

Ledger announced a fix at 1:35pm GMT and published a timeline of events at 3:49pm GMT, stating that they’d deployed a fix within 40 minutes of becoming aware of the issue, and that although the malicious file was live for around 5 hours, “the window where funds were drained was limited to a period of less than two hours.”

🚨🚨🚨 RED ALERT 🚨🚨🚨:

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023

How can I protect my assets?

If you use a Ledger hardware wallet, or any of the popular services which use Ledger Connect Kit (including MetaMask, Coinbase, Lido and others), as per Ledger’s recommendation, do not connect to or use any dApps for the next 24 hours.

Many of the most popular web3 services have published statements as to whether they are or are not affected. If you have any concerns, check the most recent information from the services you use prior to connecting your wallet.

To help prevent future attacks, Ledger have advised using Clear Signing – their simple-language transaction signing method – wherever possible, and to “use an additional Ledger mint wallet” if you need to Blind Sign any transactions.

Ledger have stated they are “actively talking with customers whose funds might have been affected”, and will work proactively to “help those individuals at this time.”

Want more? Connect with NFT Plazas

Join the Weekly Newsletter
Follow us on Twitter
Like us on Facebook
Follow us on Instagram

*All investment/financial opinions expressed by NFT Plazas are from the personal research and experience of our site moderators and are intended as educational material only. Individuals are required to fully research any product prior to making any kind of investment.