IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer.

nelson4lov

hero member

Activity: 2212

Merit: 805

Top Crypto Casino

Quote from: Pmalek on December 22, 2023, 03:09:23 AM

This is not an advertisement of this particular wallet, but I read that the Rabby DeFi wallet proved itself to be a good choice because of its signing mechanism. The pop-up that the wallet displays shows what you are signing and what affect it will have on your balance once the contract is signed. Rabby also has some sort of transaction screening system where it tries to find out if the contract presents a vulnerability for the signer. It then tells you what the results of the screening are. Apparently, the wallet warned the users that signing the transaction contract would drain all the funds from the address.

Some more info below
https://medium.com/@rabby_io/rabby-release-announcement-564406988e2b

Seconded. Apparently, Rabby wallet has proven to be the best Web3 wallet. It is even better than Metamask in that it has one of the best UI and UX (if not the best in the industry). It was created by the guys at Debank DeFi and it is easily becoming one of the most used wallets as well. The feature you mentioned is their simulation feature. It shows a possible results from signing of a transaction so that the user so they can make an informed decision whether or not they want to go ahead with it.

It's really good stuff and I enjoy using since it has one of the best wallet security out of the box.

m2017

legendary

Activity: 1792

Merit: 1296

Playbet.io - Crypto Casino and Sportsbook

Quote from: Pmalek on December 21, 2023, 03:46:11 AM

Quote from: cygan on December 20, 2023, 01:01:57 PM

It's positive news that they are going to compensate the affected users. In other words, it's an admission of guilt without admitting it officially in writing. Lucky for them that it's only $600k and not a bigger sum. I guess I will never see how their clear-sign feature will look like in the future as I have stopped doing any Ledger-related updates long time ago. Ledger will remain a device for my limited altcoin exposure and small amounts of bitcoin, while the rest is elsewhere.

Ledger had no choice but ~~to return~~ promise to return the stolen money. If with their previous fackups everything was limited to the theft of personal data and other things, that is, not directly the money of the ledger device owners, then this time it was money worth $600k that was stolen. It turns out like this: the wallet should ensure the safety of money, but here there was a loss of money, and through the fault of this company and their former (really former?) employee. Here, like it or not, in order to avoid reputational losses (which are a common occurrence for ledgeryou will be forced to return the money. Otherwise, the victims would have raised such a whine that the company would have only gotten worse. I saw information that ledger contacted the management of Tether which (sort of) froze the stolen USDT.

The return of stolen money to the victims by the ledger should not be regarded as a heroic act. This is their direct responsibility, as the culprits of what happened.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: satscraper on December 21, 2023, 04:43:57 AM

Blind signing has always been a vulnerable spot of Ledger's devices at approval of smart contract details the language of which is hard to understand for ordinary human. They could incorporate interpreter into at least their LL app to present those details pointedly. However, the solution of the problem also rests on displays used by their devices. Only one of their wallets, i.e. Ledger Stax, has the display to present content which fits the human readability.

This is not an advertisement of this particular wallet, but I read that the Rabby DeFi wallet proved itself to be a good choice because of its signing mechanism. The pop-up that the wallet displays shows what you are signing and what affect it will have on your balance once the contract is signed. Rabby also has some sort of transaction screening system where it tries to find out if the contract presents a vulnerability for the signer. It then tells you what the results of the screening are. Apparently, the wallet warned the users that signing the transaction contract would drain all the funds from the address.

Some more info below
https://medium.com/@rabby_io/rabby-release-announcement-564406988e2b

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: cygan on December 20, 2023, 01:01:57 PM

ensure that it will always be possible to clearly verify which action or transaction is to be authorized - also known as 'clear signing'

Blind signing has always been a vulnerable spot of Ledger's devices at approval of smart contract details the language of which is hard to understand for ordinary human. They could incorporate interpreter into at least their LL app to present those details pointedly. However, the solution of the problem also rests on displays used by their devices. Only one of their wallets, i.e. Ledger Stax, has the display to present content which fits the human readability.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: cygan on December 20, 2023, 01:01:57 PM

It's positive news that they are going to compensate the affected users. In other words, it's an admission of guilt without admitting it officially in writing. Lucky for them that it's only $600k and not a bigger sum. I guess I will never see how their clear-sign feature will look like in the future as I have stopped doing any Ledger-related updates long time ago. Ledger will remain a device for my limited altcoin exposure and small amounts of bitcoin, while the rest is elsewhere.

cygan

legendary

Activity: 3304

Merit: 8633

icarus-cards.eu

Ledger announced today in a statement that it will reimburse the stolen assets worth around $600,000 to affected users, including victims who do not own a Ledger.
the company also announced that it will develop a solution by june 2024 and ensure that it will always be possible to clearly verify which action or transaction is to be authorized - also known as 'clear signing'

https://nitter.net/Ledger/status/1737457365526470665

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: Lakai01 on December 19, 2023, 12:34:41 PM

Yes, I have looked at some alternatives. The problem with all other manufactors is that they only support the AVAX C-Chain via the respective hardware wallet, including Metamask. Staking via Avalanche requires the P-Chain, which is currently only fully supported by Ledger.

They focused so much on working with bunch of shitcoin crap, that they forget about basic security and safety of everything else.
You can't have both in any serious hardware wallet, especially if you have limited work force and they just assemble stuff coming from China.
If someone found a way to exploit ledger-connect, it will find a way to exploit other things connected with shitcoins, like staking for example.
It's a risky gamble combination.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Lakai01 on December 19, 2023, 12:34:41 PM

Yes, I have looked at some alternatives. The problem with all other manufactors is that they only support the AVAX C-Chain via the respective hardware wallet, including Metamask. Staking via Avalanche requires the P-Chain, which is currently only fully supported by Ledger.

OK, I see. I just checked if Ledger offers native support for Avalanche tokens, and they don't. The supported AVAX wallet is the Avalanche wallet, which Trezor doesn't support. That can only mean that it's the Avalanche wallet that offers the needed P-Chain that you are taking advantage of for the staking feature.

Lakai01

legendary

Activity: 2520

Merit: 3054

Enjoy 500% bonus + 70 FS

Quote from: Pmalek on December 19, 2023, 11:56:26 AM

Quote from: Lakai01 on December 19, 2023, 07:16:18 AM

I'd be off Ledger in a heartbeat if there was finally a viable alternative for people who have a larger stack of altcoins. At least my altcoins, e.g. AVAX, still can't be staked via Trezor - or any other competing product.

Trezor supports AVAX via third-party wallets, such as MetaMask, MyCrypto, and Rabby. Have you checked if any of those solutions have a staking feature for AVAX?

Yes, I have looked at some alternatives. The problem with all other manufactors is that they only support the AVAX C-Chain via the respective hardware wallet, including Metamask. Staking via Avalanche requires the P-Chain, which is currently only fully supported by Ledger.

Quote from: Pmalek on December 19, 2023, 11:56:26 AM

What do you mean? What penalties?

My bad, looks like that's a German saying, sorry for that Wink

This means that the competition makes serious mistakes (like a penalty kick in soccer), but you are not able to take advantage of the mistakes. Specifically, Trezor, for example, has announced that it will focus its development activities entirely on the Trezor Suite and will not work on (broader) support for other blockchains. However, if Trezor were to fully support the top 25 coins here (including staking, for example), more people would definitely switch from Ledger to Trezor - myself included.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: sokani on December 19, 2023, 06:29:53 AM

The message came from their official GitHub page and there was no case of hack reported, meaning an authorized personnel who had access to the account deployed the malicious code. if it's not from a team member, who could possibly have done this? A former employee who still have the login details?

Yes, that's exactly what they stated publicly. But it doesn't matter if it's an ex-employee or a current employee. It looks bad either way. If it's an ex-employee, why would he still have access rights and the ability to manually change code without anyone else's permission and verification? If it's a current employee, why does he not have the skills to recognize a scam and phishing attempt when he is working in a position with such security clearances?!

Quote from: Lakai01 on December 19, 2023, 07:16:18 AM

I'd be off Ledger in a heartbeat if there was finally a viable alternative for people who have a larger stack of altcoins. At least my altcoins, e.g. AVAX, still can't be staked via Trezor - or any other competing product.

Trezor supports AVAX via third-party wallets, such as MetaMask, MyCrypto, and Rabby. Have you checked if any of those solutions have a staking feature for AVAX?

Quote from: Lakai01 on December 19, 2023, 07:16:18 AM

To be honest, I don't understand why the competition doesn't utilize the penalties that have been set up.

What do you mean? What penalties?

Lakai01

legendary

Activity: 2520

Merit: 3054

Enjoy 500% bonus + 70 FS

Quote from: Pmalek on December 17, 2023, 08:58:52 AM

[...]
Sadly, everyone was asleep when it comes to the alleged ex employee who was able to upload the code changes without anyone else reviewing it and still had the needed access rights despite being an ex-employee.

That is indeed an absolute madness and I wouldn't even expect something like that from a start-up. In my opinion, it also shows how badly the ledger's internal processes must be set up for a former employee's account to retain access to central repositories.

Quote from: sokani on December 19, 2023, 06:29:53 AM

Ledger truly sucks at security and I'm surprised people still trust them with their funds.

I'd be off Ledger in a heartbeat if there was finally a viable alternative for people who have a larger stack of altcoins. At least my altcoins, e.g. AVAX, still can't be staked via Trezor - or any other competing product. To be honest, I don't understand why the competition doesn't utilize the penalties that have been set up ...

sokani

sr. member

Activity: 658

Merit: 441

This is people's hard earned money for christ sake and I'm shocked at the level of negligence from the ledger team. The message came from their official GitHub page and there was no case of hack reported, meaning an authorized personnel who had access to the account deployed the malicious code. if it's not from a team member, who could possibly have done this? A former employee who still have the login details? Ledger truly sucks at security and I'm surprised people still trust them with their funds.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: nelson4lov on December 15, 2023, 02:58:32 PM

If anyone wants to go down this path, the laptop has to be offline (zero connection to the internet) most of the time otherwise, it's still likely to be exposed to even popular vulnerabilities.

Not most of the time. All of the time. After you install a fresh OS onto it (Linux is recommended), it should never be connected to the internet ever again. Removing the network/WIFI cards ensures that you can't even mistakenly connect it to the internet.

I am reading the response of Ledger's CEO and can't help but to giggle. The guy is talking about the standard security practices the company uses and goes on to say how multiple parties review code before it's deployed. They control who can access what internally, and if an employee leaves the company, they revoke all access rights. Sadly, everyone was asleep when it comes to the alleged ex employee who was able to upload the code changes without anyone else reviewing it and still had the needed access rights despite being an ex-employee.

https://www.ledger.com/blog/a-letter-from-ledger-chairman-ceo-pascal-gauthier-regarding-ledger-connect-kit-exploit

libert19

hero member

Activity: 2520

Merit: 952

Quote from: nelson4lov on December 15, 2023, 02:58:32 PM

Why Ledger's hardware wallet came under scrutiny throughout the duration of the vulnerability was because many of their users connected to dapps directly using their ledger wallet and also because they could allow a past employee to still pose risks to their products in turn, affecting users.

Connecting ledger with dapps was mistake indeed, if people stop using their hardware wallets as hot wallets, they wouldn't fall victim to such exploits. Use hw like cold storage, send funds to other wallet to interact with dapps and you will be fine.

Couple weeks ago, I was wondering if I should stake crypto through ledger live, I got my answer with this hack.

nelson4lov

hero member

Activity: 2212

Merit: 805

Top Crypto Casino

Quote from: takuma sato on December 14, 2023, 08:50:09 PM

This is why you should forget about getting any bitcoins-specific hardware at all and just stick to good ol laptops, ideally laptops that can run free as in freedom firmware, that will not have any running spyware chips or unnecessary blobs there. This is where you will have the most peace of mind when doing bitcoin, anything else is compromised and if not, then just a target to be. If you have something specific to store bitcoins that is a bigger target than some laptop with linux for obvious reasons.

If anyone wants to go down this path, the laptop has to be offline (zero connection to the internet) most of the time otherwise, it's still likely to be exposed to even popular vulnerabilities. I still think hardware wallets have a place compared to mobile wallets that are very prune to a wide variety of attacks.

Why Ledger's hardware wallet came under scrutiny throughout the duration of the vulnerability was because many of their users connected to dapps directly using their ledger wallet and also because they could allow a past employee to still pose risks to their products in turn, affecting users.

pawanjain

hero member

Activity: 2702

Merit: 716

Nothing lasts forever

Quote from: Z-tight on December 14, 2023, 12:26:48 PM

Quote from: pawanjain on December 14, 2023, 11:59:40 AM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

This should not affect or influence your decision of buying a hardware wallet, i hope you were not considering purchasing a Ledger hardware wallet, because it is not recommended, and even if they didn't have a problem with their connector library, they are still not recommended because of past issues, like ledger recover for example.

Look for recommended hardware wallets, passport is a good one, or set up your own airgapped wallet if you have the knowledge to do it.

That's true. I mean, I wasn't gonna buy Ledger at first place but when you're thinking of buying a hardware wallet and see a major hardware wallet company getting hacked then it becomes harder for you to choose a hardware wallet because you might want to reconsider your decision.
I do know how to configure an airgapped PC. That's a good option but hardware wallets are more convenient to use with their ease of access.

rat03gopoh

hero member

Activity: 2254

Merit: 680

Signature designer - start @$10 - PM me!

Quote from: takuma sato on December 14, 2023, 08:50:09 PM

This is why you should forget about getting any bitcoins-specific hardware at all and just stick to good ol laptops, ideally laptops that can run free as in freedom firmware, that will not have any running spyware chips or unnecessary blobs there. This is where you will have the most peace of mind when doing bitcoin, anything else is compromised and if not, then just a target to be. If you have something specific to store bitcoins that is a bigger target than some laptop with linux for obvious reasons.

Hardware Wallets are actually quite safe if they remain in use in their orientation, long-term holding, that's all. As an advantage, they're more practical than carrying a laptop. Unfortunately, many users request that wallets also function for strange things because the crypto ecosystem continues to develop. In essence, everything depends on the user's caution, regardless of the type of wallet.

takuma sato

sr. member

Activity: 322

Merit: 449

This is why you should forget about getting any bitcoins-specific hardware at all and just stick to good ol laptops, ideally laptops that can run free as in freedom firmware, that will not have any running spyware chips or unnecessary blobs there. This is where you will have the most peace of mind when doing bitcoin, anything else is compromised and if not, then just a target to be. If you have something specific to store bitcoins that is a bigger target than some laptop with linux for obvious reasons.

rat03gopoh

hero member

Activity: 2254

Merit: 680

Signature designer - start @$10 - PM me!

Quote from: so98nn on December 14, 2023, 10:25:59 AM

Though the news only states we should not be connecting to dApps, what happens if I just connect it normally synch with the network?

It shouldn't matter, the KonncetKit Library is the door to this vulnerability. You only connect to this library if you interact with Dapps, not when start connecting to the internet or just syncing your balance.

tabas

hero member

Activity: 3024

Merit: 745

🌀 Cosmic Casino

Quote from: pawanjain on December 14, 2023, 11:59:40 AM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks.

It's because they have the vast market share and that's why they're targeted but, this isn't the first time that we've seen them in the news. Aside from this compromise, they've got a feature of recover that many don't like it and shoudn't really be considered. Too many attacks and controversy has happened with Ledger and that sucks.

Quote from: pawanjain on December 14, 2023, 11:59:40 AM

Are other hardware wallet companies like Trezor very good at their side ?

I'm thinking of taking a Blockstream hardware wallet named Jade but I am still gathering reviews about it.

Topic: IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. (Read 611 times)