Ledger Connect’s user interfaces were disabled following a decentralized application (dApp) attack. Developers of NFT platform OpenSea also warned against connecting to any dApp using Connect until further notice. Here are the latest known developments regarding the attack.
Decentralized finance (DeFi) protocol Lido Finance announced that “front-end user interfaces have been disabled as a precaution while the Ledger Connect issue is investigated.”
Earlier in the day, the user interfaces of Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash fell victim to the Ledger Connect attack. The company has since announced that the vulnerability has been patched and that the issue was caused by a “malicious version of the Ledger Connect Kit.”
An original version is currently being sent to replace the malicious file. Do not interact with any dApps for now. We will continue to keep you informed as the situation develops.
NEWS CONTINUES BELOW
Initial reports claim that the attack drained at least $484,000 in digital assets. Tether, behind the USDT stablecoin, announced that the attacker had frozen its wallet. According to the developers, the “original version” of the Ledger Connect Kit is currently “propagating automatically.” However, users are advised to wait 24 hours before using the kit again.
The vulnerability in question is attributed to a phishing attack on a former Ledger employee, which allowed hackers to gain access to sensitive information. “We are filing a complaint and working with law enforcement on the investigation to find the attacker,” the developers wrote. An estimated two hours elapsed between the time funds were released and a fix distributed.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023