Multiple Ethereum-based applications including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised early Thursday due to a Ledger security breach. Ledger, the Paris-based crypto hardware wallet manufacturer, said it has fixed the malicious code as of 13:35 UTC — the company also warned users to “Clear Sign” transactions, a way to ensure you are interacting directly with the company’s website and software.
It’s not yet known how many decentralized apps (dapps) were/are affected, or how much money has been lost. Anecdotal reports on social media suggest the exploit is widespread. Blockaid, a blockchain security firm, said upwards of $150,000 in crypto had been lost due to this unique “supply chain attack” on Ledger’s Connect Kit, which is deployed across the decentralized finance (DeFi) ecosystem.
This is an excerpt from The Node newsletter, a daily roundup of the most pivotal crypto news on CoinDesk and beyond. You can subscribe to get the full newsletter here.
“Do not interact with ANY dApps until further notice,” Sushi Chief Technology Officer Matthew Lilley wrote on X/Twitter, one of the first people to acknowledge the attack. “It appears that a commonly used Web3 connector has been compromised, which allows for injection of malicious code affecting numerous dApps.”
Hacks are a common occurrence in crypto, especially in the free-wheeling world of decentralized finance (DeFi), where financial software is frequently deployed without the appropriate level of auditing and testing as well as used by people without the knowledge to do proper due diligence. Centralized entities, aka companies, like Ledger, are also common targets for assaults.
These types of breaches are a stain on the industry, affecting not only actual people and projects but also crypto’s reputation. Internet pioneer and security expert Steve Gibson keeps up with the litany of crypto hacks on the popular podcast, “Security Now,” he co-hosts with fellow tech legend Leo Laporte, and recently said any industry where there is a running tally of the largest hacks should be treated with extreme skepticism.
Still, there is sometimes a silver lining to crypto exploits. These events, however blackening, can also be moments of levity, and a chance for seasoned crypto professionals to showcase their skills and the built-in benefits of blockchain. Most crypto transactions cannot be reversed, but attackers can end up in a dead-end trying to actually capitalize on their ill-gotten gains.
Read more: Ledger Exploit Endangers DeFi; Sushi Says 'Do Not Interact With ANY dApps'
Tether, the largest stablecoin issuer, for instance, announced it froze the explorer's address hours after the hack, which speaks to the ability for on-chain sleuths to track down and put pressure on attackers.
So, is it too soon to laugh about it? Just last week, CoinDesk listed Ledger CEO Pascal Gauthier and several of the impacted DeFi protocols on its annual Most Influential list — perhaps we can laugh about the inauspicious timing. But that’s the thing about open-source development that happens in the public eye, even the worst moments can hold valuable lessons for all. On social media, the breach has become an occasion to joke, condemn and learn:
it’s called a zk rollup because you have zero knowledge of where your money went
— Gwart (@GwartyGwart) December 14, 2023
most tweets about ledger are wrong
— Udi | BIP-420 🐱 (@udiWertheimer) December 14, 2023
here’s what you need to know:
ALL ACTIVE ETHEREUM WALLETS ARE AT RISK
don’t connect ANY ethereum/evm wallets to ANY apps until further notice
doesn’t matter if it’s a ledger or not
if you didn’t use your wallet today you’re safe
How big does the airgap have to be? Is it necessary to put something between my ledger and my computer? Should i put my ledger in the fridge? https://t.co/a88I19pU8u
— poordart (@poordart) December 14, 2023
they always tell us “not your keys, not your coins”
— david phelps 🐮🏰🃏🐘 (@divine_economy) December 14, 2023
but always forget to mention the second part:
“your keys, still not your coins”
One bug in some thingy a bunch of apps use and the entire future of finance collapses
— poordart (@poordart) December 14, 2023
Lol. Lmao. pic.twitter.com/juPm7MRfLt
It’s called Ledger because that's what they're having to talk most of their users off of rn
— laurence (@functi0nZer0) December 14, 2023