Pages:
Author

Topic: IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. - page 2. (Read 611 times)

legendary
Activity: 3080
Merit: 1178
Leading Crypto Sports Betting & Casino Platform
Would you like a little dose of conspiracy theory? Smiley

After this compromise, Ledger will definitely release new firmware for their devices (they can’t help but do this), into which you can integrate any program code directed against the interests of ledger owners (like even more tracking and obtaining personal data or even gaining complete control over their means).

Horror story (they could have pulled this off a long time ago).

But seriously, what can I say. Ledger screwed up again. Happens. I mean, it has happened more than once. We weren't surprised at all. I wonder what the next fakap will be?
I honestly wonder why wouldn't they be liable for losses. They are a private company making money, and only reason they exist is because people trust their product safety.
I am sure that there are some disclaimers for something like this in their small print but i don't think that would legally cover for losses that happens because of exploit of their product.

Sure, everyone is responsible for their own money in crypto, but i think this goes to gray area on liability. I guess we have to wait and see. Anyway, this was bad news.
copper member
Activity: 1330
Merit: 899
🖤😏
It seems those developers are incompetent, that's why you should stay away from garbage such as dapp, you can't just go and develop something like this which involves money after being grounded by your parents, unfortunately they do that and people follow and use their apps blindly.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
This sucks.  Newbies purchase Shit Coins and they end up getting scammed in the most innocent way.  They sign a Contract they can not understand anyway and they end up having their Wallets cleared.  Then they buy a Ledger and guess what.  Ledger is not as secure as it seems.

Altcoins nowadays seem like a one click disaster.  You sign the wrong Contract which is unreadable in the first place and poof goes your money.

I am waiting for the day some body finds a backdoor to read Seeds out of Ledgers.  At this point this is inevitable and would be nothing new for Ledgers customers.
legendary
Activity: 994
Merit: 1089
Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?
This should not affect or influence your decision of buying a hardware wallet, i hope you were not considering purchasing a Ledger hardware wallet, because it is not recommended, and even if they didn't have a problem with their connector library, they are still not recommended because of past issues, like ledger recover for example.

Look for recommended hardware wallets, passport is a good one, or set up your own airgapped wallet if you have the knowledge to do it.
hero member
Activity: 868
Merit: 952
Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

Since they started that there seed phrase storage saga, I think they have been compromised atleast two times, although this doesn’t affect anything much except those that interact with DApps but still this continuous breach can be seen as negligence and as the popular saying goes fool me once, shame on you. Fool me twice, shame on me. So I will advise you a little change of hardware wallets, Trezor hardly get into news like the way ledger devices does, but there are also other good hardware wallets like passport.

Better still if you have two devices, one which is still airgapped then I will say you should consider setting up a cold wallet with wallets like electrum.
hero member
Activity: 2702
Merit: 716
Nothing lasts forever
Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Anyone knows whether Electrum uses the library as well?

No it does not, because it does not even support dApps.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
Anyone knows whether Electrum uses the library as well?
This is about Ledger and their connector library, i do not know too much about Dapps and how some of them use ledger's connector library, but this has nothing to do with Electrum, even if you have your Electrum connected to your Ledger wallet, just make sure you're running your own node for better privacy and security. Ledger isn't a recommended hardware wallet, so people should not even be using this hardware wallet in the first place.

Yes, Electrum shouldn't be affected by this vulnerability because Electrum doesn't use a ledger connect kit.

@btc_penguin If you don't feel safe there is a way to make a transaction on Electrum safe you just need two devices to make an unsign transaction from the online device and transfer the .psbt file to the offline device to sign it with your ledger offline. All ledger users should do this if they want to avoid any online attacks/vulnerabilities.
legendary
Activity: 3304
Merit: 8633
icarus-cards.eu
as Metamask announces, this affects not only Ledger users but everyone who uses dapps. at the same time, Metamask has deployed a fix for its users:


https://nitter.net/MetaMask/status/1735318141285085513

and according to this tweet you can see very well how the malicious 'connect wallet' popup menu opens over the original and offers the user various options:


https://nitter.net/apoorvlathey/status/1735281719216071019
legendary
Activity: 994
Merit: 1089
Anyone knows whether Electrum uses the library as well?
This is about Ledger and their connector library, i do not know too much about Dapps and how some of them use ledger's connector library, but this has nothing to do with Electrum, even if you have your Electrum connected to your Ledger wallet, just make sure you're running your own node for better privacy and security. Ledger isn't a recommended hardware wallet, so people should not even be using this hardware wallet in the first place.
hero member
Activity: 2114
Merit: 603
Thanks for the heads up.

What is the protocol here? Should I control my urge to connect the ledger to a PC and the internet now? My soul purpose for having a Ledger is to store my coins for a very long duration and I rarely connect my Ledger and go live. I have had terrible experiences in the past so I am either not connecting it every day or just rarely synch the new balances, check the updates, and bug fixes only.

Though the news only states we should not be connecting to dApps, what happens if I just connect it normally synch with the network? Because I know if I connect and if there are any updates for let us say wallets of different coins then it will start auto downloainf it. I just don't want to get involve with any of the mess right now when the balance is loaded.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
Would you like a little dose of conspiracy theory? Smiley

After this compromise, Ledger will definitely release new firmware for their devices (they can’t help but do this), into which you can integrate any program code directed against the interests of ledger owners (like even more tracking and obtaining personal data or even gaining complete control over their means).

Horror story (they could have pulled this off a long time ago).

But seriously, what can I say. Ledger screwed up again. Happens. I mean, it has happened more than once. We weren't surprised at all. I wonder what the next fakap will be?
hero member
Activity: 2282
Merit: 659
Looking for gigs
Most of the important assets are in my Ledger, but I’ve never connect it to Dapps as it’s only treated for long term storage. These hackers are getting smarter overtime, so DeFi and Web3 are still young and has long ways to go because of one of their major weakness which is the cybersecurity side.

On top of that, I have disconnected my burner Metamask wallet in all of the sites that I have interacted.

It looks like that the wallets implementing the traditional seed phrase and private key model are the most vulnerable of all and are targeted by the hackers whether if it’s cold or hot non-custodial type.
sr. member
Activity: 728
Merit: 388
DGbet.fun - Crypto Sportsbook
It just get to my notice right now, and I already created another topic, this is so messed up with Ledger, I am glad that I am not using the Nano that was sent to me by a friend as a gift, I just don't feel safe using the wallet.

I think the best solution is to avoid connecting your hardware wallet to anything, if you want to sell, send from your hardware wallet to a hot wallet first and use the hot wallet to connect to anything, correct me if I am wrong? I believe this is even a good advice for all hardware wallet users.

As those who are trapped use their ledger to connect, I don't do this even while I am using a air gapped hardware wallet.
hero member
Activity: 1904
Merit: 541
That's worrying, I even ordered a hardware wallet and I'm just waiting for it to arrive, really the exploitative person will do anything when there is an opportunity to attack other people to steal.

I hope it can be resolved properly and they can innovate more securely without disturbing the HW holders in these situations we have today. How many times have these issues happened? Wasn't there something before in the ledger too, right?
hero member
Activity: 1442
Merit: 775
The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.
dApps and smart contracts are not smart all all as they can be exploited by scammers.

I don't want to touch them too much and if I use dApp and smart contract with interactions, I will create a new wallet with small fund for it. If anyone use only one wallet, store all fund there but are ready to explore around new platforms, dApps, smart contracts, such interactions are risky and drain all money in that wallet.

I don't mind about Ledger and the advice is general for practice with fund, wallet and any interaction that can steal your money.
hero member
Activity: 2030
Merit: 578
No God or Kings, only BITCOIN.
I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?
Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.
You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?
I would switch to a secure wallet so I don't have to worry about this anymore.
The drainer doesn't come from the signing message but was on the WalletConnect modal and the drainer was faking that popup modal with different appearance during the dApp connection phase. I already identify that during my interaction with revoke.cash they already made the site offline but I'm still being vigilant for further announcement.

Not necessarily I would switch considering there has been some staked assets on my wallet and the advisory that no interaction yet on any dApps means I won't be able to get them out as well. Still monitoring the incident and glad we have huge helpful community not just here but on Twitter/X as well.
hero member
Activity: 2212
Merit: 805
Top Crypto Casino
Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?

No tokens or core Ethereum protocol was affected. The Ledger ConnectKit Library is a common Library that is usually used for connecting wallets in order to interact with Dapps (staking, swapping, Money markets, etc). Being compromised means any user that connects to any decentralized application via a "connect wallet" kit is likely to get drained since there is malicious drainer embedded in the library being used.

This is a case of a library being popularly used in frontends getting compromised.
newbie
Activity: 3
Merit: 0
Anyone knows whether Electrum uses the library as well?
legendary
Activity: 2114
Merit: 1403
Disobey.
Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?
Pages:
Jump to: