IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. - page 2.

o48o

legendary

Activity: 2856

Merit: 1130

Leading Crypto Sports Betting & Casino Platform

Quote from: m2017 on December 14, 2023, 11:25:11 AM

Would you like a little dose of conspiracy theory?

After this compromise, Ledger will definitely release new firmware for their devices (they can’t help but do this), into which you can integrate any program code directed against the interests of ledger owners (like even more tracking and obtaining personal data or even gaining complete control over their means).

Horror story (they could have pulled this off a long time ago).

But seriously, what can I say. Ledger screwed up again. Happens. I mean, it has happened more than once. We weren't surprised at all. I wonder what the next fakap will be?

I honestly wonder why wouldn't they be liable for losses. They are a private company making money, and only reason they exist is because people trust their product safety.
I am sure that there are some disclaimers for something like this in their small print but i don't think that would legally cover for losses that happens because of exploit of their product.

Sure, everyone is responsible for their own money in crypto, but i think this goes to gray area on liability. I guess we have to wait and see. Anyway, this was bad news.

digaran

copper member

Activity: 1330

Merit: 899

🖤😏

It seems those developers are incompetent, that's why you should stay away from garbage such as dapp, you can't just go and develop something like this which involves money after being grounded by your parents, unfortunately they do that and people follow and use their apps blindly.

PrivacyG

hero member

Activity: 756

Merit: 1723

Crypto Swap Exchange

This sucks. Newbies purchase Shit Coins and they end up getting scammed in the most innocent way. They sign a Contract they can not understand anyway and they end up having their Wallets cleared. Then they buy a Ledger and guess what. Ledger is not as secure as it seems.

Altcoins nowadays seem like a one click disaster. You sign the wrong Contract which is unreadable in the first place and poof goes your money.

I am waiting for the day some body finds a backdoor to read Seeds out of Ledgers. At this point this is inevitable and would be nothing new for Ledgers customers.

Z-tight

hero member

Activity: 826

Merit: 1010

Only BTC

Quote from: pawanjain on December 14, 2023, 12:59:40 PM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

This should not affect or influence your decision of buying a hardware wallet, i hope you were not considering purchasing a Ledger hardware wallet, because it is not recommended, and even if they didn't have a problem with their connector library, they are still not recommended because of past issues, like ledger recover for example.

Look for recommended hardware wallets, passport is a good one, or set up your own airgapped wallet if you have the knowledge to do it.

Zaguru12

hero member

Activity: 672

Merit: 855

Quote from: pawanjain on December 14, 2023, 12:59:40 PM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

Since they started that there seed phrase storage saga, I think they have been compromised atleast two times, although this doesn’t affect anything much except those that interact with DApps but still this continuous breach can be seen as negligence and as the popular saying goes fool me once, shame on you. Fool me twice, shame on me. So I will advise you a little change of hardware wallets, Trezor hardly get into news like the way ledger devices does, but there are also other good hardware wallets like passport.

Better still if you have two devices, one which is still airgapped then I will say you should consider setting up a cold wallet with wallets like electrum.

pawanjain

hero member

Activity: 2646

Merit: 713

Nothing lasts forever

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: btc_penguin on December 14, 2023, 10:06:47 AM

Anyone knows whether Electrum uses the library as well?

No it does not, because it does not even support dApps.

BitMaxz

legendary

Activity: 3234

Merit: 2943

Block halving is coming.

Quote from: Z-tight on December 14, 2023, 11:45:20 AM

Quote from: btc_penguin on December 14, 2023, 10:06:47 AM

Anyone knows whether Electrum uses the library as well?

This is about Ledger and their connector library, i do not know too much about Dapps and how some of them use ledger's connector library, but this has nothing to do with Electrum, even if you have your Electrum connected to your Ledger wallet, just make sure you're running your own node for better privacy and security. Ledger isn't a recommended hardware wallet, so people should not even be using this hardware wallet in the first place.

Yes, Electrum shouldn't be affected by this vulnerability because Electrum doesn't use a ledger connect kit.

@btc_penguin If you don't feel safe there is a way to make a transaction on Electrum safe you just need two devices to make an unsign transaction from the online device and transfer the .psbt file to the offline device to sign it with your ledger offline. All ledger users should do this if they want to avoid any online attacks/vulnerabilities.

cygan

legendary

Activity: 3122

Merit: 7618

Cashback 15%

as Metamask announces, this affects not only Ledger users but everyone who uses dapps. at the same time, Metamask has deployed a fix for its users:

https://nitter.net/MetaMask/status/1735318141285085513

and according to this tweet you can see very well how the malicious 'connect wallet' popup menu opens over the original and offers the user various options:

https://nitter.net/apoorvlathey/status/1735281719216071019

Z-tight

hero member

Activity: 826

Merit: 1010

Only BTC

Quote from: btc_penguin on December 14, 2023, 10:06:47 AM

Anyone knows whether Electrum uses the library as well?

This is about Ledger and their connector library, i do not know too much about Dapps and how some of them use ledger's connector library, but this has nothing to do with Electrum, even if you have your Electrum connected to your Ledger wallet, just make sure you're running your own node for better privacy and security. Ledger isn't a recommended hardware wallet, so people should not even be using this hardware wallet in the first place.

so98nn

hero member

Activity: 2072

Merit: 603

Thanks for the heads up.

What is the protocol here? Should I control my urge to connect the ledger to a PC and the internet now? My soul purpose for having a Ledger is to store my coins for a very long duration and I rarely connect my Ledger and go live. I have had terrible experiences in the past so I am either not connecting it every day or just rarely synch the new balances, check the updates, and bug fixes only.

Though the news only states we should not be connecting to dApps, what happens if I just connect it normally synch with the network? Because I know if I connect and if there are any updates for let us say wallets of different coins then it will start auto downloainf it. I just don't want to get involve with any of the mess right now when the balance is loaded.

m2017

legendary

Activity: 1792

Merit: 1296

keep walking, Johnnie

Would you like a little dose of conspiracy theory?

After this compromise, Ledger will definitely release new firmware for their devices (they can’t help but do this), into which you can integrate any program code directed against the interests of ledger owners (like even more tracking and obtaining personal data or even gaining complete control over their means).

Horror story (they could have pulled this off a long time ago).

But seriously, what can I say. Ledger screwed up again. Happens. I mean, it has happened more than once. We weren't surprised at all. I wonder what the next fakap will be?

cheezcarls

hero member

Activity: 2254

Merit: 658

Revolutionized copy gaming platform

Most of the important assets are in my Ledger, but I’ve never connect it to Dapps as it’s only treated for long term storage. These hackers are getting smarter overtime, so DeFi and Web3 are still young and has long ways to go because of one of their major weakness which is the cybersecurity side.

On top of that, I have disconnected my burner Metamask wallet in all of the sites that I have interacted.

It looks like that the wallets implementing the traditional seed phrase and private key model are the most vulnerable of all and are targeted by the hackers whether if it’s cold or hot non-custodial type.

KiaKia

sr. member

Activity: 658

Merit: 384

It just get to my notice right now, and I already created another topic, this is so messed up with Ledger, I am glad that I am not using the Nano that was sent to me by a friend as a gift, I just don't feel safe using the wallet.

I think the best solution is to avoid connecting your hardware wallet to anything, if you want to sell, send from your hardware wallet to a hot wallet first and use the hot wallet to connect to anything, correct me if I am wrong? I believe this is even a good advice for all hardware wallet users.

As those who are trapped use their ledger to connect, I don't do this even while I am using a air gapped hardware wallet.

gunhell16

sr. member

Activity: 1666

Merit: 453

That's worrying, I even ordered a hardware wallet and I'm just waiting for it to arrive, really the exploitative person will do anything when there is an opportunity to attack other people to steal.

I hope it can be resolved properly and they can innovate more securely without disturbing the HW holders in these situations we have today. How many times have these issues happened? Wasn't there something before in the ledger too, right?

SquirrelJulietGarden

hero member

Activity: 1260

Merit: 723

Quote from: nelson4lov on December 14, 2023, 10:00:22 AM

The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.

dApps and smart contracts are not smart all all as they can be exploited by scammers.

I don't want to touch them too much and if I use dApp and smart contract with interactions, I will create a new wallet with small fund for it. If anyone use only one wallet, store all fund there but are ready to explore around new platforms, dApps, smart contracts, such interactions are risky and drain all money in that wallet.

I don't mind about Ledger and the advice is general for practice with fund, wallet and any interaction that can steal your money.

rhomelmabini

hero member

Activity: 2002

Merit: 578

Quote from: criptoevangelista on December 14, 2023, 10:01:24 AM

Quote from: rhomelmabini on December 14, 2023, 09:56:28 AM

Quote from: nelson4lov on December 14, 2023, 09:48:42 AM

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

I would switch to a secure wallet so I don't have to worry about this anymore.

The drainer doesn't come from the signing message but was on the WalletConnect modal and the drainer was faking that popup modal with different appearance during the dApp connection phase. I already identify that during my interaction with revoke.cash they already made the site offline but I'm still being vigilant for further announcement.

Not necessarily I would switch considering there has been some staked assets on my wallet and the advisory that no interaction yet on any dApps means I won't be able to get them out as well. Still monitoring the incident and glad we have huge helpful community not just here but on Twitter/X as well.

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: Kryptowerk on December 14, 2023, 10:04:26 AM

Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?

No tokens or core Ethereum protocol was affected. The Ledger ConnectKit Library is a common Library that is usually used for connecting wallets in order to interact with Dapps (staking, swapping, Money markets, etc). Being compromised means any user that connects to any decentralized application via a "connect wallet" kit is likely to get drained since there is malicious drainer embedded in the library being used.

This is a case of a library being popularly used in frontends getting compromised.

btc_penguin

newbie

Activity: 3

Merit: 0

Anyone knows whether Electrum uses the library as well?

Kryptowerk

legendary

Activity: 2030

Merit: 1401

Disobey.

Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?

Topic: IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. - page 2. (Read 523 times)