Losses Reported, Users Urged to Exercise Caution
BlockAid, a cybersecurity firm specializing in Web3 security, disclosed that substantial losses of approximately $150,000 have been incurred due to the integration of the malicious code into live websites. However, Ledger assured users that as long as they refrain from conducting transactions, their assets are safe.
Ido Ben-Natan, CEO of Ledger, emphasized that the exploit could not be carried out without prior user confirmations, but acknowledged that many websites were affected and warned of the potential impact on users.
SushiSwap, a decentralized exchange platform, addressed the issue on its platform and acknowledged the compromise in Ledger’s connector, which could enable the injection of malicious code into various decentralized applications (dApps).
Precautionary Measures by Revoke.cash and Ledger
As a safety measure, Revoke.cash, a service enabling users to reclaim transaction signing capabilities granted to Web3 apps, temporarily suspended its front-end operations to prevent user deception.
Ben-Natan specifically cautioned against interactions with Revoke.cash, given its vulnerability to the attack. Ledger’s official account confirmed the potential attack vector and stated that the malicious code has since been eliminated.
The new version of Ledger’s software is currently being propagated and is expected to neutralize the threat completely once activated, depending on the caching of third-party dApps.
Remaining Wary and Informed
While the malicious code only recently emerged and can result in funds being stolen only if further actions are taken, experts recommend exercising caution and refraining from using crypto web apps. WalletConnect, a widely-used interface for dApp developers without direct integration with Ledger, also issued a warning to users.
Philip Costigan, Head of Public Relations at Ledger, urged users to avoid interacting with any dApps for the time being and assured them of regular updates as the situation unfolds.
In previous incidents, such as the SushiSwap token sale platform attack, users lost approximately 865 ETH ($3 million at the time and $2 million presently). These attacks involved DNS manipulation to redirect unsuspecting users to counterfeit versions of genuine platform websites, leading to funds being redirected to the attackers.
Updated on December 14, 2023, at 8:34 AM ET, 8:53 AM ET, 9:03 AM ET, and 9:15 AM ET with additional information and comments from Ledger and BlockAid.