Ledger Hardware Wallet Will Compensate Users for $600,000 Exploit
Hardware wallet provider Ledger has announced its intention to reimburse victims for the approximately $600,000 in assets lost due to the recent ConnectKit exploit.
In a December 20 statement on X (formerly Twitter), the firm assured that the lost assets would be reimbursed before the end of February 2024.
We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.
We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.
Ledger…
— Ledger (@Ledger) December 20, 2023
The crypto waller manufacturer also revealed it has reached out to the impacted victims and is actively working through all recovery specifics to ensure a seamless payment process.
Meanwhile, users who signed transactions on all exploited decentralized applications (dApps) connected to ConnectKit are advised to revoke all authorized transactions to minimize potential risks associated with the breach.
On December 14, cryptonews reported that the user interfaces of several dApps utilizing Ledger’s ConnectKit, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, were compromised.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
Matthew Lilley, the Chief Technical Officer (CTO) of SushiSwap, was among the first to identify and report the issue. He noted the compromise of a widely used Web3 connector, which allowed the injection of malicious code into multiple decentralized applications (dApps).
🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
Approximately three hours after the security breach was identified, Ledger confirmed that the malicious version of the file had been replaced with its authentic counterpart.
The Potential of ‘Clear Signing’ in the dApp Ecosystem
Ledger has reaffirmed its commitment to enhancing security measures to strengthen the ecosystem and prevent future incidents.
In line with this commitment, the firm plans to collaborate with the dApp ecosystem to implement Clear Signing and discontinue the Blind Signing feature from its devices by June 2024.
The Clear Signing feature will enable users to scrutinize and verify transaction details before granting approval.
Switching to Clear Signing "and no longer allow Blind Signing by June 2024" is a great increase in security.
A crucially needed feature. Hope compatibility with dApps won't be affected.
— Ignas | DeFi Research (@DefiIgnas) December 20, 2023
With Clear Signing, wallet enthusiasts can directly examine important information such as transaction amounts, recipient addresses, and other relevant details on their Ledger devices or other secure displays.
According to the firm, this verification process empowers users to make informed decisions and confirm the accuracy of the transaction they are about to authorize.
The crypto wallet provider has also appealed to dApp developers to prioritize customers’ security and trust in the decentralized ecosystem by building apps that support the new security feature.