Many DeFi protocols were affected by the supply chain assault on Ledger ConnectKit.
Kyber and RevokeCash swiftly deactivated their front ends in response to the threat.
A surprising event occurred in the Decentralized Finance (DeFi) arena when the Ledger ConnectKit was the victim of a supply chain assault, which resulted in a rug-pull security compromise.
Malicious code injection into different Decentralized Applications (dApps) is possible due to the vulnerability, which has been dubbed a “supply chain attack.” This puts users and their assets at considerable danger. Web3 security company Blockaid has identified LedgerHQ’s ConnectKit, notably versions larger than 1.1.4, as the compromised package in the assault.
As per Ledger, a former employee of Ledger was hacked this morning and their NPMJS account was compromised as a result of a phishing effort. A hacker’s wallet was redirected to by the malicious code using a rogue WalletConnect project. In an effort to identify the perpetrator, the company has said that they would be collaborating with the police and submitting a formal complaint.
Multiple Protocols Affected
Many DeFi protocols were affected by the supply chain assault on Ledger ConnectKit. Some of the decentralized exchanges that Blockaid identified as being susceptible were Kyber, SushiSwap, RevokeCash, and Zapper.
Moreover, Kyber and RevokeCash swiftly deactivated their front ends in response to the threat. Notably, this vulnerability was discovered shortly after KyberSwap was hacked, leading to the loss of around $46 million worth of cryptocurrency.
The rapid and extensive effect of the assault is shown by Blockaid’s estimate of almost $150,000 lost within only a few hours. The security company has already assured Blockaid-enabled wallet users that they are safe from this particular assault, but the hack’s ramifications might be disastrous for the Web3 ecosystem as a whole.
The Ledger ConnectKit software library was hosted by a particular Content Delivery Network (CDN), which is where the vulnerability originated.
A statement from Ledger confirmed the breach and assured customers that a legitimate version of Ledger ConnectKit is being sent to replace the malicious file. This was in reaction to the attack. Additionally, a software patch has been created to fix the issue.