Ledger ConnectKit library security flaw impacts Web3 decentralized applications

A critical security issue has impacted several decentralized applications (dApps), including SushiSwap, due to a vulnerability in Ledger's ConnectKit. This vulnerability allowed attackers to inject harmful JavaScript into Decentralized Finance (DeFi) interfaces widely used in the crypto industry.

The problem stemms from Ledger's failure to version-lock JavaScript from a content delivery network (CDN), leading to the CDN's compromise and the subsequent code injection. The attack, identified as a "supply chain attack," targeted Ledger's API kit, affecting multiple dApps like SushiSwap, Zapper, and RevokeCash.

The exploit led to the injection of a 'wallet drainer' code into Ledger's library, causing concern across the crypto community. The malicious code was discovered in Ledger’s ConnectKit, which is used for connecting blockchain apps with Ledger devices. As a result, users of crypto web apps were advised to avoid the impacted platforms until the full scope of the cybersecurity incident was understood.

The incident led to significant financial losses, with an estimated $150,000 lost initially, rising to over half a million dollars. The attack affected various dApps, leading to the temporary disabling of front-ends for Sushi Swap, Kyber and RevokeCash to prevent further losses.

In response, Ledger confirmed the potential attack and removed the malicious code. A genuine version of the file was pushed to replace the compromised one. However, users were still advised to refrain from interacting with any dApps until the situation was fully resolved. MetaMask, a popular web3 wallet app, also deployed a fix and urged users to update to the latest version.