On December 14, 2023, a security incident was reported where one of the affected companies, named Revoke.Cash reported that after connecting the Ledger wallet with the third-party dapps, using the ledger connect kit, the digital assets held in the ledger wallet started draining. Multiple parties were affected because of this security incident. On 20th December 2023, the CEO of Ledger, Pascal Gauthier, came on X (formerly Twitter) and promised to compensate all the affected individuals by February 2024.
What Exactly Happened on 14th December 2023?
On 14 December 2023, a malicious code was injected in the ledger took kit. The drain code injected, affected the ledger wallets connected with the third-party DApps.
The code tricked the EVM DApps into signing the outbound transactions from the wallet, resulting in the loss of the digital assets worth $600,000.
On further investigation, it was found that a former employee had compromised his access to the hacker using which the hacker injected the malicious drain code into the Ledger’s NPMJS package (a code used to connect ledger with the third party DApps). 1.1.5, 1.1.6, and 1.1.7 were the affected versions of the Ledger Connect Kit.
On being notified about the incident, Ledger quickly reacted to the situation. It involved its partner, WalletConnect to address the malicious activity. Within 40 minutes of the incident reporting, the malicious code was removed from NPMJS.
Even after fixing the malicious code, the file remained online for 5 hours because of the CDN. Ledger suspects that few more might have been affected during this span of 5 hours.
Ledger has now released version 1.1.8 of the Ledger Connect Kit.
Later on 14th December, Ledger coordinated with Tether, and froze the account of the attacker (0x658729879fca881d9526480b82ae00efc54b5c2d). This was done, just a few minutes after fixing the malicious code.
Detailed Root Cause Analysis About the Incident Released by Ledger
The ledger connect kit is a javascript-based open-source program that allows developers to connect the ledger wallet with the DApps. The ledger connect program auto-updates for any new changes, preventing the developers from manually updating it. When the hacker injected the malicious code, it got pushed to ledger connect version 1.1.5, 1.1.6, and 1.1.7 automatically, which caused the incident.
Advice From the CEO of Ledger to Avoid Similar Incident in the Future
The CEO of the Ledger has advised the developers to immediately check the versions of the ledger connect they are using. If it is less than 1.1.8, then its advised to immediately upgrade to the latest version i.e. 1.1.8.
Further, the CEO reminds to always clear sign using the ledger and avoid blind sign. Since a user signing on the ledger will visually check the transaction before signing off, it acts as a validation check.
What are the Steps Taken by Ledger, to Avoid a Similar Incident in the Future?
Ledger is currently auditing its security processes and modifying the process of pushing the code to the ledger connect toolkit. It is planning to revisit its policies for code review, its deployment, access and distribution.
Further, it will increase the frequency of security training for its employees to avoid getting into a phishing trap in the future.
It is also planning to have a third-party audit for its internal security processes. Ledger has plans to increase the taskforce on infrastructure monitoring and maintenance. If required the alert monitoring system will be further enhanced to catch such an incident in the future, pro-actively.
As a major step, Ledger is planning is to remove the option of Blind Sign. This will prevent the users from blindly signing a transaction and thereby minimizing the risk of such a hack in the future.
What to do if you are affected?
In case, if you have been affected by this phishing attack, please register your details here, shared by the Ledger team.
Take Away
Ledger tried its best to resolve the issue as soon as it was reported. It is quite a bold move to compensate the affected users with the amount lost. The reported loss, i.e. $600,000 is quite a significant amount and the decision to compensate the users who lost their digital asset is applauded by the crypto community.
Never share your pass phrases with someone or on the net. Please double check before you sign off a transaction and finally avoid any blind signs. This will help keep your digital assets secure.