Bit Jungle: Ledger security vulnerabilities have affected many Dapps, and it is recommended to reinstall the system instead of simply clearing the cache

At around 20:00 p.m. Beijing time on December 14, 2023, multiple projects such as SUSHI and RevokeCash issued security alerts to warn users not to interact with any DAPP.

Bit Jungle was the first to intervene in the analysis and found that the wallet connectors of these projects were integrated with the Ledger Connect Kit, which had been tampered with to contain malicious code to steal virtual currency. At around 21 p.m., Ledger released version 1.1.8 of Connect Kit, which removed the malicious code.

So far, the hack has resulted in a total loss of about $400,000 for multiple users.

The following will analyze the implementation process, impact area, occurrence process, and crime team of the Ledger vulnerability. **BitJungle recommends that users reinstall the system instead of simply clearing the cache to solve the affected Dapp issue more thoroughly. **For more in-depth content and views, please also pay attention to the live broadcast at 8 p.m. on December 22 (Friday), and please see the **“Event Preview” section at the bottom of this article for event information.

What’s the problem with Ledger

A Wallet Connector is a protocol or tool used to establish communication and interaction between decentralized applications (DApps) and cryptocurrency wallets. Its main purpose is to simplify the digital asset management process between users and DApps, enabling users to interact with various decentralized services and applications using their cryptocurrency wallets. It is reflected in the user’s usage process that when the DApp interacts, the page connecting to the wallet will be displayed, as shown in the figure below

The page will load the code for each connector, such as WalletConnect, which is the most widely used.

The code that has been maliciously modified this time is Ledger’s connector (Ledger Connect Kit), a software development kit (SDK) designed to help developers integrate Ledger hardware wallets (such as Ledger Nano S, Ledger Nano X, etc.) into their applications. It provides a range of APIs and tools that enable developers to interact with Ledger hardware wallets for more secure and reliable digital asset management.

Many DApp sites use this library to connect to Ledger hardware wallets, and some sites (such as SushiSwap and Revoke.cash) quickly took their sites offline and removed the affected libraries.

How does the Ledger code appear

After checking by Bitjungle, it was found that the above-mentioned affected websites were loaded with ledger wallet connectors and were attacked by the supply chain, and the code introduced by the project is as follows:

[.] jsdelivr[.] net/npm/@ledgerhq/connect-kit@1

As of 21:10 Beijing time, I saw the latest update on Ledger’s npm release page two hours ago, and according to checking, it was found that versions 1.1.5 to 1.1.7 were all malicious changes.

At present, the malicious version was deleted by Ledger on December 15, Beijing time

LEDGER CHAIRMAN AND CEO PASCAL GAUTHIER SAID FORMER EMPLOYEES WERE PHISHED AS A RESULT.

Source:

Flow of funds involved in the case

As of now, the Ledger Exploiter (0x658729879fCa881D9526480B82aE00EFc54B5c2d) address still has $330,000 in assets in reserve

Of these, 4.334 ETH went to the hot wallets of Angel Drainer, a well-known virtual currency theft team

The September 2023 Balancer DNS hijacking attack and the October 2023 Galxe DNS hijacking attack were both associated with the team.

Angel Drainer, as a platform provider (CaaS) for criminal services, may only provide malicious code for stealing virtual currency for this attack, and there may be other teams that actually operate and publish the NPM malicious code.

Suggested Emergency Measures

Wallet Party

1. It is necessary to ensure the network security of the development and release environment to avoid supply chain attacks.

2. The version should be locked in the code, and don’t use @1 to automatically load the latest version. For example, the "[.] jsdelivr[.] net/npm/@ledgerhq/connect-kit@1」

3. Regularly update key accounts and enable MFA.

4. Conduct regular security audits of code and development processes.

Users

1. Avoid interacting with any DApps until Ledger is completely fixed

2. After the Ledger is fixed, clear the local browser (mobile and computer) and the cache of the DApp application

3. Due to the obfuscation of the malicious code, the malicious code may also obtain device permissions at the same time, It is strongly recommended to reinstall the system to solve the affected problem of Dapp more completely

Project Party

1. Remove Ledger’s connectors in a timely manner to avoid affecting more users

BIT JUNGLE Event Notice

Ledger Security Incident Emergency Measures

Bit Jungle: Plan to invest 60 million to develop a hardware wallet

Topics to be discussed

1. Why did the Ledger wallet security incident happen?

2. What genes should a good wallet company have?

3. The thinking behind the Bit Jungle plan to invest 60 million to build a wallet business

How to Listen

Friday, December 22 8 p.m. Scan the QR code 👇 of the poster below