Ledger Warns Users Against Using Web3 dApps After Security Breach

Ledger, a provider of hardware wallets for digital assets, has issued an urgent warning to users. The company’s ‘Ledger dApp Connect Kit’ was compromised in a supply chain attack, leading to theft estimated to be over $484,000, through a wallet drainer embedded in the library.

Immediate Measures and Updates

Ledger revealed on X that a compromised ‘malicious version’ of its Ledger Connect Kit had been distributed. This kit is a key component used by decentralized apps (dApps) from different developers for integrating with the Ledger wallet service.

In response to this breach, Ledger has cautioned its users to stop using dApps temporarily. The malicious code, designed to steal digital assets from connected wallets, raises serious concerns about the security of using these applications.

Ledger has acted to address the issue, removing the compromised library and releasing a new, secure version. Ledger’s technology and security personnel acted promptly, deploying a solution within 40 minutes after the issue was identified. Although the malicious file remained active for nearly 5 hours, the period during which funds were compromised is estimated to be less than two hours.

Projects that utilized the affected versions (1.1.5, 1.1.6, and 1.1.7) are advised to update to this latest version (1.1.8) to ensure safety. Users are also recommended to ‘Clear Sign’ all transactions, following Ledger’s instructions, to add an extra layer of security.