Breaking: On-Chain Data Suggests Popular Decentralized Applications are Compromised – Here’s the Latest

Multiple popular decentralized applications (dApps) have been compromised following a hack against a popular Web3 connector on Wednesday, numerous software experts confirmed on Thursday.

“Do not interact with ANY dApps until further notice,” warned Matthew Lilley, CTO of SushiSwap, in a post to X. “It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.”

The connector in question is “Ledger Connector,” a tool from the popular wallet provider that lets crypto users connect their mobile wallets to decentralized apps like exchanges and lending platforms.

As such, the attack doesn’t solely affect one dApp, but any that may use Ledger’s connect kit.

🚨🚨🚨 RED ALERT 🚨🚨🚨:

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023

Shortly thereafter, Ledger confirmed that the malicious code had been identified and removed from its libraries and that user wallets had not been compromised.

“A genuine version is being pushed to replace the malicious file now,” the company stated.

Other X users like @bantg confirmed in advance that Ledger’s software library had been compromised and “replaced with a drainer,” with new fields like “minimalDrainValue” inserted into its code.

Given the frequency of new updates to the database in the last few hours, onlookers didn’t believe the real Ledger company was responsible.

According to @officer_cia – a hacker relations expert for Web3 security firm Remedy – some affected dApps included Sushi, as well as the DeFi dashboard Zapper, and “wallet hygiene” service Revoke.cash.

Stay Away From dApps, Expert Warn

Polygon Labs VP Hudson Jameson has acknowledged the hack and also warned crypto users to not use any dApps. “This is an ongoing situation and it is risky to use dApps currently if you don’t understand what backend libraries they use,” he said.

While visiting dApp websites alone won’t allow users’ funds to be drained, certain prompts from browser wallets – such as MetaMask – will invite users to mistakenly forfeit their assets to hackers.

“Does Ledger know about this? Yes they do and are working on it,” said Jameson. Nevertheless, projects using Ledger’s library will need to “update things” even after Ledger corrects for any malicious code.

This is the second time this year that Ledger has come under fire for poor security practices.

In May, Ledger was blasted for its “Ledger Recover” wallet service, which triggered concern that the accompanying firmware update would allow users’ private keys to be extracted from their wallets.

After criticism cooled off, the company debuted the product the late October.