Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Understanding the Recent Hack on Ledger Connect Kit

Understanding the Recent Hack on Ledger Connect Kit

Share via:

In a startling turn of events, the Web3 community was shaken by a significant security breach. Users of popular dApps like SushiSwap, Zapper.fi, and RevokeCash reported suspicious activities, signaling a potential compromise in a widely-used Web3 connector. This breach serves as a stark reminder of the ever-present vulnerabilities in the DeFi space.

Inside the Attack

The heart of the issue lay in the Ledger Connect Kit library (Ledger Connect Kit v1.1.7). Ledger, a prominent player in digital asset security, confirmed that this library was indeed compromised.

The attackers injected malicious code into the library, transforming it into a ‘drainer’ that targeted users’ wallets. It was possible as a result of a phishing attack targeting the former employee’s npmJS account. This code affected every website utilizing the library, instigating widespread panic among users.

The drainer operated by siphoning funds from wallets, but only after users inadvertently granted approvals to the malicious smart contract. Thus, merely visiting an infected site did not pose an immediate threat. However, once approvals were given, the funds were swiftly drained to two primary wallets:

0x412f10aad96fd78da6736387e2c84931ac20313f and 0x658729879fca881d9526480b82ae00efc54b5c2d, with over $850,000 being stolen in just a few hours.

❗️@SushiSwap, @zapper_fi and @RevokeCash front-ends are compromised!

Stay safe and do not interact with this platform!

🧵All updates will be posted below…
— Hacken🇺🇦 (@hackenclub) December 14, 2023

Lessons Learned

Rigorous Code Auditing: Regular and thorough audits of third-party libraries are essential.

Check Access: Regularly check and revoke access, especially for former employees.

User Awareness: Users must understand the approvals they grant on dApps.

Rapid Response: The need for quick action in the face of security breaches cannot be overstated.

Diversified Asset Allocation: Avoid storing significant funds in a single asset or platform.

Clear Communication: Ensuring timely and transparent communication with users during crises is crucial.

Conclusion

The swift action by Ledger to rectify the issue and Tether’s freezing of the attacker’s wallet highlight the resilience of the Web3 community. However, this incident reminds us how important it is to always be alert and to keep learning about digital assets. As we go forward, we should all work together to strengthen our security, stay up-to-date, and carefully make our way through the ever-changing world of Web3 with a better understanding of how to stay safe.

Follow @hackenclub on 𝕏 (Twitter)