Ledger Connect Kit Supply Chain Attack: A Comprehensive Analysis and Prevention Framework

December 14, 2023, was a truly distressing day for many leading dApps integrated with Ledger Connect Kit Library, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. The platforms were compromised and injected with a wallet drainer code which managed to snatch away $484 thousand worth of assets.

But how did it happen? And what could users do to prevent falling for this scam?

Let’s find out!

Breach origin and timeline

The attack first came to light at 7:43 PM when Twitter user @g4sarah reported a suspicious hijack of the front-end of Zapper, a DeFi asset management protocol. This was the earliest indication of potential security breach.

At 8:30 PM, SushiSwap’s CTO, Matthew Lilley, published a critical warning on Twitter. He advised users against interacting with any dApps, citing concerns over a compromised Web3 connector, which led to the injection of malicious code affecting multiple dApps. Lilley wrote:

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

At 8:56 PM, there was a widespread compromise announcement. Revoke.cash, one of the dApps utilizing the Ledger Connect Kit library, confirmed the security breach through Twitter:

Several popular crypto applications integrated with the Ledger Connect Kit library, including Revoke.cash, have been compromised. We have temporarily shut down our website. We recommend not using any crypto websites during the exploitation of this vulnerability.

Ledger’s official response came at 9:31 PM when the company published a tweet stating that they addressed the issue by identifying and removing the malicious version of the Ledger Connect Kit.

In a letter published on Ledger's website, Chairman Pascal Gauthier stated that the company deactivated the malicious code within 40 minutes of its discovery. Gauthier also revealed the reason for the exploit, claiming that:

This exploit was the result of a former employee falling victim to a phishing attack, which allowed a bad actor to upload a malicious file to Ledger’s NPMJS (a package manager for Javascript code shared between apps).

We worked swiftly, alongside our partner WalletConnect, to address the exploit, updating the NPMJS to remove and deactivate the malicious code within 40 minutes of discovery. This is a good example of the industry working swiftly together to address security challenges.

However, despite the prompt response, the malicious file had been live for approximately five hours. During this time, all the dApps using the Ledger Connect Kit were automatically executing the wallet drainer code.

Breach outcomes

The attack on Ledger Connect Kit had significant consequences, affecting numerous users and digital assets.

• $484 thousand drained from users’ wallets.
• It is estimated that the wallet drainer was live for approximately 5 hours, with active asset theft going on for 2 hours.
• Some impacted DeFi protocols were SushiSwap, Kyber, RevokeCash, and Zapper.
• Tether had frozen the scammers’ address.
• Users were advised to wait 24 hours before interacting with the affected dApps.

Gauthier warned developers working with the Ledger Connect Kit code to exercise caution and to ensure they are using the latest, verified, and safe-to-use version of the Ledger Connect Kit, version 1.1.8:

For builders who are developing and interacting with the Ledger Connect Kit code: connect-kit development team on the NPM project are now read-only and can’t directly push the NPM package for safety reasons. We have internally rotated the secrets to publish on Ledger’s GitHub. Developers, please check again that you’re using the latest version, 1.1.8.

DApp breach red flags and safety practices

Although the scam was executed very discreetly, there were several red flags signaling that something was off, namely:

🚩 A "Connect wallet" pop-up suddenly showed up the moment you landed on the website. That's really fishy because this kind of window should only pop up when you're actually doing something, like making a transaction or revoking token approval.

🚩 Instead of approval revoke transactions, users were prompted to sign a malicious transfer transaction that would send all their ETH tokens to scammers.

🚩 When making operations on the affected platforms, users were signing transactions with a scam address that impersonated 0x000...000 address.

By paying close attention to website behavior and transaction details, users could spot these red flags and quit the platforms before engaging in malicious transactions.

Yet another, and way more efficient, protective measure was Web3 Antivirus. Users who had the extension installed received instant notifications about potential threats, both when entering the compromised websites and receiving the signature request.

Summing up, here are five tips on how you can significantly reduce your risk of falling victim to compromised websites and enhance your overall security in the Web3 space:

✅ Be vigilant for unusual behavior: Stay alert for unexpected website activities like sudden pop-up windows or requests for signatures. These can be indicators of malicious intent.

✅ Review transaction details thoroughly: Before confirming any transaction, double-check to ensure the tokens you're sending or receiving are exactly what you expect. This helps prevent unwanted transfers or scams.

✅ Stay informed about security risks: Follow the official social media accounts of the dApps you use and keep up with Web3 news. Staying updated on potential security issues is key to avoiding threats.

✅ Pause activity after security alerts: In the event of an attack or security breach, stop making transactions until there's an all-clear from official sources. Acting on prompt and reliable information is crucial.

✅ Use security extensions like Web3 Antivirus: Don't sign off on any transactions without first consulting W3A alerts and security reports. Extensions like W3A are designed to detect threats that might not be obvious, providing an additional layer of protection for Web3 users.

Stay safe!