Connect Kit Exploit Sparks Criticism of Ledger’s Security Framework

Share This Post

Connect Kit Exploit Sparks Criticism of Ledger's Security Framework

On Dec. 14, 2023, Ledger’s Connect Kit, a Javascript library for wallet connectivity, suffered a significant exploit. This incident, which was contained within two hours, has brought forth a number of criticisms of Ledger’s security practices.

Ledger Exploit Elicits Mixed Reactions From Crypto Sphere; Dapps and Tether Respond Promptly to Breach

Ledger, known for its crypto security solutions and hardware wallet manufacturing, faced an exploit in its Ledger Connect Kit, a Javascript tool used to connect websites to wallets. The breach, which lasted less than two hours, did not impact Ledger’s hardware or Ledger Live but was confined to third-party decentralized applications (dapps) using the Connect Kit. However, this has raised questions about Ledger’s software security protocols.

Jameson Lopp, a prominent figure in the crypto community and CTO of the bitcoin security provider Casa, pointed out three critical failures at Ledger: “Blindly loading code without pinning a specific version and checksum, not enforcing ‘2 man rules’ around code review and deployment, and not revoking former employee access.”

These lapses in security protocol allowed the exploit to occur when a phishing attack on a former employee led to the introduction of malicious code into Ledger’s NPMJS. Lefteris Karapetsas also criticized Ledger’s approach, exclaiming, “Are you guys insane? Why would you build the most security-conscious library in the world to ‘load from CDN’ for convenience without having users to wait for dapps to update?”

Cryptofinally, another industry commentator, expressed disbelief at the nature of the breach: “Imagine being smart enough to exploit the entire ledger to dapp interface, and then leave your full name in the code, leading to your Twitter account that says, ex-ledger employee.”

In response to the exploit, Ledger CEO Pascal Gauthier acknowledged the breach and outlined steps for enhanced security measures. Gauthier stated, “This was an unfortunate isolated incident. It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes.” Ledger plans to implement stronger controls, especially in software supply chain security, to avert similar future incidents.

The company has engaged with law enforcement and cybersecurity experts to track the stolen assets and is working with affected users. “We deeply regret the events that unfolded today for affected individuals,” Gauthier said. Ledger insists the incident has been contained, and Ledger assured the crypto community that the threat has been mitigated. A full timeline of the incident and response efforts was also shared alongside Gauthier’s statements.

In the wake of the Ledger exploit, various dapps and crypto firms took immediate action to mitigate the impact. Several protocols and companies disabled their front-end user interfaces as a precaution. Projects that took action include Lido, Sushi, Balancer, Revokecash, Zapper, and the non-fungible token (NFT) marketplace Opensea. Tether CEO Paolo Ardoino also notified the crypto community that the stablecoin firm froze the Ledger exploiter address.

Arkham Intelligence announced a bounty for identifying those behind the Ledger Library Drainer Exploit. The exploit, linked to “Angel Drainer,” resulted in a loss of over $500K from multiple dapps. Arkham stated that rewards include revealing Angel Drainer’s identity, fund recovery leads, and information on post-incident KYC exchange deposits by Angel Drainer. Arkham offered a similar bounty after the Okx Dex incident which saw the loss of $2.7 million.

What do you think about the recent Ledger exploit and the criticism? Share your thoughts and opinions about this subject in the comments section below.

Read Entire Article
spot_img
- Advertisement -spot_img

Related Posts

Hawk Tuah Crypto Project Sued Over Memecoin, Welch Responds

Interestingly, Haliey Welch was not listed as a defendant in the lawsuit and her most recent response may explain why HAWK Memecoin Investors File Suit Disgruntled investors will finally have their

Shiba Inu Goes Multi-Chain With New Chainlink Partnership

Shiba Inu has entered into a strategic partnership with Chainlink, according to a press release published in SHIB Magazine This alliance will see Shibarium, Shiba Inu’s layer-2 (L2) blockchain

Bitcoin Under Siege: Bearish Pressure Keeps Price Below $99,575

Bitcoin is under intense bearish pressure as it struggles to reclaim the $99,575 mark, a key resistance level that has proven to be a significant hurdle After an impressive rally earlier in the

SEC Commissioner Hester Peirce Signals SEC’s Shift Toward Pro-Crypto Innovation

The post SEC Commissioner Hester Peirce Signals SEC’s Shift Toward Pro-Crypto Innovation appeared first on Coinpedia Fintech News As the SEC gears up for Gary Gensler’s exit, a pro-crypto

SEC Commissioner Hester Peirce Signals SEC’s Shift Toward Pro-Crypto Innovation

The post SEC Commissioner Hester Peirce Signals SEC’s Shift Toward Pro-Crypto Innovation appeared first on Coinpedia Fintech News As the SEC gears up for Gary Gensler’s exit, a pro-crypto

Ark Invest CEO Cathie Wood predicts Bitcoin will top $1 million by decade’s end

Ark Invest CEO Cathie Wood reiterated her bullish outlook on Bitcoin (BTC), predicting that it will soar past $1 million by the end of the decade She made the prediction during a Bloomberg Markets