Ledger Exploit Drained $484K, Upended DeFi; Former Staffer Linked to Malicious Code

Hackers stole $484,000 on Thursday after inserting malicious code into the Github library for Connect Kit, a widely-used piece of blockchain software maintained by the crypto wallet firm Ledger. Several major decentralized finance (DeFi) protocols that use the library have been impacted, and users have been warned to avoid using decentralized apps (dApps) altogether until these protocols are updated.

Ledger's Connect Kit is a piece of code that allows DeFi protocols to connect to crypto hardware wallets. The exploit potentially impacts the front-end of all protocols that use the Connect Kit, which include the likes of Sushi, Lido, Metamask and Coinbase.

In an X post on Thursday addressing the incident, Ledger confirmed that an employee had been targeted in a "phishing attack," after which point the attacker "published a malicious version of the Ledger Connect Kit."

Read more: Ledger Exploit Endangers DeFi; Sushi Says 'Do Not Interact With ANY dApps'

A ledger spokesperson told CoinDesk that it has "identified and removed a malicious version of the Ledger Connect Kit," and the company said in its X post that "the window where funds were drained was limited to a period of less than two hours."

Although Ledger has updated its own code, Ido Ben-Natan, the CEO of blockchain security firm Blockaid told CoinDesk in a Telegram message that "many websites are still affected and users are getting hit." For the risk to be completely mitigated, every protocol using Ledger's Connect Kit has to manually update their version of the library. In the meantime, several protocols remain at risk, specifically revoke.cash, which is a service that is used to remove permissions from DeFi protocols.

"Revoke.cash specifically is affected so don’t interact with it," Ben-Natan added. "the number of impacted funds is hundreds of thousands of dollars over the past two hours."

DeFi-related hacks have been frequent throughout this year, and $303 million was stolen in July alone following exploits to Curve Finance and Multichain. After hacks take place, users typically use websites like revoke.cash to remove permissions from impacted protocols.

In this case, however, as the front-end of websites has been impacted as opposed to hot wallets, revoke.cash users will be prompted to connect their wallets to a malicious token drainer, thus broadening the scope of the hack to anything in a user's wallet.

MetaMask announced that it had deployed a fix to remove the malicious code two hours after the hack occurred.

The nature of the exploit emphasizes the fragile nature of decentralized applications; as protocols use code from several software providers like Ledger, there are numerous points of failure along the supply chain that can ultimately impact users.

Ledger has previously fallen victim to security issues. In 2020 its entire customer database was leaked, leading to fears of sim swapping and home invasion attacks. It also faced controversy this past year after a software update revealed discrepancies between the security of its hardware versus how it was marketed to users.