The ‘Ledger hacker’ who siphoned away at least $484,000 from multiple Web3 apps on Dec. 14 did so by tricking Web3 users into making malicious token approvals, according to the team behind blockchain security platform Cyvers.
According to public statements made by multiple parties involved, the hack occurred on the morning of Dec. 14. The attacker used a phishing exploit to compromise the computer of a former Ledger employee, gaining access to the employee’s node package manager javascript (NPMJS) account.
We have identified and removed a malicious version of the Ledger Connect Kit.
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
Once they gained access, they uploaded a malicious update to Ledger Connect’s GitHub repo. Ledger Connect is a commonly used package for Web3 applications.
Some Web3 apps upgraded to the new version, causing their apps to distribute the malicious code to users’ browsers. Web3 apps Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash were infected with the code.
As a result, the attacker was able to siphon away at least $484,000 from users of these apps. Other apps may be affected as well, and experts have warned that the vulnerability may affect the entire Ethereum Virtual Machine (EVM) ecosystem.
How it could have happened
Speaking to Cointelegraph, Cyvers CEO Deddy Lavid, chief technology officer Meir Dolev, and blockchain analyst Hakal Unal shed further light on how the attack may have occurred.
According to them, the attacker likely used malicious code to display confusing transaction data in the user’s wallet, leading the user to approve transactions they didn’t intend to.
When developers create Web3 apps, they use open-source “connect kits” to allow their apps to connect with users’ wallets, Dolev stated. These kits are stock pieces of code that can be installed in multiple apps, allowing them to handle the connection process without needing to spend time writing code. Ledger’s connect kit is one of the options available to handle this task.
It sounds like today’s security incident was the culmination of 3 separate failures at Ledger:
1. Blindly loading code without pinning a specific version and checksum.
2. Not enforcing “2 man rules” around code review and deployment.
3. Not revoking former employee access.— Jameson…
Click Here to Read the Full Original Article at Cointelegraph.com News…