IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer.

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: Pmalek on December 22, 2023, 04:09:23 AM

This is not an advertisement of this particular wallet, but I read that the Rabby DeFi wallet proved itself to be a good choice because of its signing mechanism. The pop-up that the wallet displays shows what you are signing and what affect it will have on your balance once the contract is signed. Rabby also has some sort of transaction screening system where it tries to find out if the contract presents a vulnerability for the signer. It then tells you what the results of the screening are. Apparently, the wallet warned the users that signing the transaction contract would drain all the funds from the address.

Some more info below
https://medium.com/@rabby_io/rabby-release-announcement-564406988e2b

Seconded. Apparently, Rabby wallet has proven to be the best Web3 wallet. It is even better than Metamask in that it has one of the best UI and UX (if not the best in the industry). It was created by the guys at Debank DeFi and it is easily becoming one of the most used wallets as well. The feature you mentioned is their simulation feature. It shows a possible results from signing of a transaction so that the user so they can make an informed decision whether or not they want to go ahead with it.

It's really good stuff and I enjoy using since it has one of the best wallet security out of the box.

m2017

legendary

Activity: 1792

Merit: 1296

keep walking, Johnnie

Quote from: Pmalek on December 21, 2023, 04:46:11 AM

Quote from: cygan on December 20, 2023, 02:01:57 PM

It's positive news that they are going to compensate the affected users. In other words, it's an admission of guilt without admitting it officially in writing. Lucky for them that it's only $600k and not a bigger sum. I guess I will never see how their clear-sign feature will look like in the future as I have stopped doing any Ledger-related updates long time ago. Ledger will remain a device for my limited altcoin exposure and small amounts of bitcoin, while the rest is elsewhere.

Ledger had no choice but ~~to return~~ promise to return the stolen money. If with their previous fackups everything was limited to the theft of personal data and other things, that is, not directly the money of the ledger device owners, then this time it was money worth $600k that was stolen. It turns out like this: the wallet should ensure the safety of money, but here there was a loss of money, and through the fault of this company and their former (really former?) employee. Here, like it or not, in order to avoid reputational losses (which are a common occurrence for ledgeryou will be forced to return the money. Otherwise, the victims would have raised such a whine that the company would have only gotten worse. I saw information that ledger contacted the management of Tether which (sort of) froze the stolen USDT.

The return of stolen money to the victims by the ledger should not be regarded as a heroic act. This is their direct responsibility, as the culprits of what happened.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: satscraper on December 21, 2023, 05:43:57 AM

Blind signing has always been a vulnerable spot of Ledger's devices at approval of smart contract details the language of which is hard to understand for ordinary human. They could incorporate interpreter into at least their LL app to present those details pointedly. However, the solution of the problem also rests on displays used by their devices. Only one of their wallets, i.e. Ledger Stax, has the display to present content which fits the human readability.

This is not an advertisement of this particular wallet, but I read that the Rabby DeFi wallet proved itself to be a good choice because of its signing mechanism. The pop-up that the wallet displays shows what you are signing and what affect it will have on your balance once the contract is signed. Rabby also has some sort of transaction screening system where it tries to find out if the contract presents a vulnerability for the signer. It then tells you what the results of the screening are. Apparently, the wallet warned the users that signing the transaction contract would drain all the funds from the address.

Some more info below
https://medium.com/@rabby_io/rabby-release-announcement-564406988e2b

satscraper

hero member

Activity: 714

Merit: 1298

Cashback 15%

Quote from: cygan on December 20, 2023, 02:01:57 PM

ensure that it will always be possible to clearly verify which action or transaction is to be authorized - also known as 'clear signing'

Blind signing has always been a vulnerable spot of Ledger's devices at approval of smart contract details the language of which is hard to understand for ordinary human. They could incorporate interpreter into at least their LL app to present those details pointedly. However, the solution of the problem also rests on displays used by their devices. Only one of their wallets, i.e. Ledger Stax, has the display to present content which fits the human readability.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: cygan on December 20, 2023, 02:01:57 PM

It's positive news that they are going to compensate the affected users. In other words, it's an admission of guilt without admitting it officially in writing. Lucky for them that it's only $600k and not a bigger sum. I guess I will never see how their clear-sign feature will look like in the future as I have stopped doing any Ledger-related updates long time ago. Ledger will remain a device for my limited altcoin exposure and small amounts of bitcoin, while the rest is elsewhere.

cygan

legendary

Activity: 3122

Merit: 7618

Cashback 15%

Ledger announced today in a statement that it will reimburse the stolen assets worth around $600,000 to affected users, including victims who do not own a Ledger.
the company also announced that it will develop a solution by june 2024 and ensure that it will always be possible to clearly verify which action or transaction is to be authorized - also known as 'clear signing'

https://nitter.net/Ledger/status/1737457365526470665

dkbit98

legendary

Activity: 2212

Merit: 7064

Cashback 15%

Quote from: Lakai01 on December 19, 2023, 01:34:41 PM

Yes, I have looked at some alternatives. The problem with all other manufactors is that they only support the AVAX C-Chain via the respective hardware wallet, including Metamask. Staking via Avalanche requires the P-Chain, which is currently only fully supported by Ledger.

They focused so much on working with bunch of shitcoin crap, that they forget about basic security and safety of everything else.
You can't have both in any serious hardware wallet, especially if you have limited work force and they just assemble stuff coming from China.
If someone found a way to exploit ledger-connect, it will find a way to exploit other things connected with shitcoins, like staking for example.
It's a risky gamble combination.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: Lakai01 on December 19, 2023, 01:34:41 PM

Yes, I have looked at some alternatives. The problem with all other manufactors is that they only support the AVAX C-Chain via the respective hardware wallet, including Metamask. Staking via Avalanche requires the P-Chain, which is currently only fully supported by Ledger.

OK, I see. I just checked if Ledger offers native support for Avalanche tokens, and they don't. The supported AVAX wallet is the Avalanche wallet, which Trezor doesn't support. That can only mean that it's the Avalanche wallet that offers the needed P-Chain that you are taking advantage of for the staking feature.

Lakai01

legendary

Activity: 2296

Merit: 2721

Top Crypto Casino

Quote from: Pmalek on December 19, 2023, 12:56:26 PM

Quote from: Lakai01 on December 19, 2023, 08:16:18 AM

I'd be off Ledger in a heartbeat if there was finally a viable alternative for people who have a larger stack of altcoins. At least my altcoins, e.g. AVAX, still can't be staked via Trezor - or any other competing product.

Trezor supports AVAX via third-party wallets, such as MetaMask, MyCrypto, and Rabby. Have you checked if any of those solutions have a staking feature for AVAX?

Yes, I have looked at some alternatives. The problem with all other manufactors is that they only support the AVAX C-Chain via the respective hardware wallet, including Metamask. Staking via Avalanche requires the P-Chain, which is currently only fully supported by Ledger.

Quote from: Pmalek on December 19, 2023, 12:56:26 PM

What do you mean? What penalties?

My bad, looks like that's a German saying, sorry for that Wink

This means that the competition makes serious mistakes (like a penalty kick in soccer), but you are not able to take advantage of the mistakes. Specifically, Trezor, for example, has announced that it will focus its development activities entirely on the Trezor Suite and will not work on (broader) support for other blockchains. However, if Trezor were to fully support the top 25 coins here (including staking, for example), more people would definitely switch from Ledger to Trezor - myself included.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: sokani on December 19, 2023, 07:29:53 AM

The message came from their official GitHub page and there was no case of hack reported, meaning an authorized personnel who had access to the account deployed the malicious code. if it's not from a team member, who could possibly have done this? A former employee who still have the login details?

Yes, that's exactly what they stated publicly. But it doesn't matter if it's an ex-employee or a current employee. It looks bad either way. If it's an ex-employee, why would he still have access rights and the ability to manually change code without anyone else's permission and verification? If it's a current employee, why does he not have the skills to recognize a scam and phishing attempt when he is working in a position with such security clearances?!

Quote from: Lakai01 on December 19, 2023, 08:16:18 AM

I'd be off Ledger in a heartbeat if there was finally a viable alternative for people who have a larger stack of altcoins. At least my altcoins, e.g. AVAX, still can't be staked via Trezor - or any other competing product.

Trezor supports AVAX via third-party wallets, such as MetaMask, MyCrypto, and Rabby. Have you checked if any of those solutions have a staking feature for AVAX?

Quote from: Lakai01 on December 19, 2023, 08:16:18 AM

To be honest, I don't understand why the competition doesn't utilize the penalties that have been set up.

What do you mean? What penalties?

Lakai01

legendary

Activity: 2296

Merit: 2721

Top Crypto Casino

Quote from: Pmalek on December 17, 2023, 09:58:52 AM

[...]
Sadly, everyone was asleep when it comes to the alleged ex employee who was able to upload the code changes without anyone else reviewing it and still had the needed access rights despite being an ex-employee.

That is indeed an absolute madness and I wouldn't even expect something like that from a start-up. In my opinion, it also shows how badly the ledger's internal processes must be set up for a former employee's account to retain access to central repositories.

Quote from: sokani on December 19, 2023, 07:29:53 AM

Ledger truly sucks at security and I'm surprised people still trust them with their funds.

I'd be off Ledger in a heartbeat if there was finally a viable alternative for people who have a larger stack of altcoins. At least my altcoins, e.g. AVAX, still can't be staked via Trezor - or any other competing product. To be honest, I don't understand why the competition doesn't utilize the penalties that have been set up ...

sokani

sr. member

Activity: 504

Merit: 421

Top Crypto Casino

This is people's hard earned money for christ sake and I'm shocked at the level of negligence from the ledger team. The message came from their official GitHub page and there was no case of hack reported, meaning an authorized personnel who had access to the account deployed the malicious code. if it's not from a team member, who could possibly have done this? A former employee who still have the login details? Ledger truly sucks at security and I'm surprised people still trust them with their funds.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: nelson4lov on December 15, 2023, 03:58:32 PM

If anyone wants to go down this path, the laptop has to be offline (zero connection to the internet) most of the time otherwise, it's still likely to be exposed to even popular vulnerabilities.

Not most of the time. All of the time. After you install a fresh OS onto it (Linux is recommended), it should never be connected to the internet ever again. Removing the network/WIFI cards ensures that you can't even mistakenly connect it to the internet.

I am reading the response of Ledger's CEO and can't help but to giggle. The guy is talking about the standard security practices the company uses and goes on to say how multiple parties review code before it's deployed. They control who can access what internally, and if an employee leaves the company, they revoke all access rights. Sadly, everyone was asleep when it comes to the alleged ex employee who was able to upload the code changes without anyone else reviewing it and still had the needed access rights despite being an ex-employee.

https://www.ledger.com/blog/a-letter-from-ledger-chairman-ceo-pascal-gauthier-regarding-ledger-connect-kit-exploit

libert19

hero member

Activity: 2464

Merit: 934

Quote from: nelson4lov on December 15, 2023, 03:58:32 PM

Why Ledger's hardware wallet came under scrutiny throughout the duration of the vulnerability was because many of their users connected to dapps directly using their ledger wallet and also because they could allow a past employee to still pose risks to their products in turn, affecting users.

Connecting ledger with dapps was mistake indeed, if people stop using their hardware wallets as hot wallets, they wouldn't fall victim to such exploits. Use hw like cold storage, send funds to other wallet to interact with dapps and you will be fine.

Couple weeks ago, I was wondering if I should stake crypto through ledger live, I got my answer with this hack.

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: takuma sato on December 14, 2023, 09:50:09 PM

This is why you should forget about getting any bitcoins-specific hardware at all and just stick to good ol laptops, ideally laptops that can run free as in freedom firmware, that will not have any running spyware chips or unnecessary blobs there. This is where you will have the most peace of mind when doing bitcoin, anything else is compromised and if not, then just a target to be. If you have something specific to store bitcoins that is a bigger target than some laptop with linux for obvious reasons.

If anyone wants to go down this path, the laptop has to be offline (zero connection to the internet) most of the time otherwise, it's still likely to be exposed to even popular vulnerabilities. I still think hardware wallets have a place compared to mobile wallets that are very prune to a wide variety of attacks.

Why Ledger's hardware wallet came under scrutiny throughout the duration of the vulnerability was because many of their users connected to dapps directly using their ledger wallet and also because they could allow a past employee to still pose risks to their products in turn, affecting users.

pawanjain

hero member

Activity: 2646

Merit: 713

Nothing lasts forever

Quote from: Z-tight on December 14, 2023, 01:26:48 PM

Quote from: pawanjain on December 14, 2023, 12:59:40 PM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

This should not affect or influence your decision of buying a hardware wallet, i hope you were not considering purchasing a Ledger hardware wallet, because it is not recommended, and even if they didn't have a problem with their connector library, they are still not recommended because of past issues, like ledger recover for example.

Look for recommended hardware wallets, passport is a good one, or set up your own airgapped wallet if you have the knowledge to do it.

That's true. I mean, I wasn't gonna buy Ledger at first place but when you're thinking of buying a hardware wallet and see a major hardware wallet company getting hacked then it becomes harder for you to choose a hardware wallet because you might want to reconsider your decision.
I do know how to configure an airgapped PC. That's a good option but hardware wallets are more convenient to use with their ease of access.

rat03gopoh

hero member

Activity: 2002

Merit: 633

Your keys, your responsibility

Quote from: takuma sato on December 14, 2023, 09:50:09 PM

This is why you should forget about getting any bitcoins-specific hardware at all and just stick to good ol laptops, ideally laptops that can run free as in freedom firmware, that will not have any running spyware chips or unnecessary blobs there. This is where you will have the most peace of mind when doing bitcoin, anything else is compromised and if not, then just a target to be. If you have something specific to store bitcoins that is a bigger target than some laptop with linux for obvious reasons.

Hardware Wallets are actually quite safe if they remain in use in their orientation, long-term holding, that's all. As an advantage, they're more practical than carrying a laptop. Unfortunately, many users request that wallets also function for strange things because the crypto ecosystem continues to develop. In essence, everything depends on the user's caution, regardless of the type of wallet.

takuma sato

sr. member

Activity: 281

Merit: 408

This is why you should forget about getting any bitcoins-specific hardware at all and just stick to good ol laptops, ideally laptops that can run free as in freedom firmware, that will not have any running spyware chips or unnecessary blobs there. This is where you will have the most peace of mind when doing bitcoin, anything else is compromised and if not, then just a target to be. If you have something specific to store bitcoins that is a bigger target than some laptop with linux for obvious reasons.

rat03gopoh

hero member

Activity: 2002

Merit: 633

Your keys, your responsibility

Quote from: so98nn on December 14, 2023, 11:25:59 AM

Though the news only states we should not be connecting to dApps, what happens if I just connect it normally synch with the network?

It shouldn't matter, the KonncetKit Library is the door to this vulnerability. You only connect to this library if you interact with Dapps, not when start connecting to the internet or just syncing your balance.

tabas

hero member

Activity: 2954

Merit: 725

Top Crypto Casino

Quote from: pawanjain on December 14, 2023, 12:59:40 PM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks.

It's because they have the vast market share and that's why they're targeted but, this isn't the first time that we've seen them in the news. Aside from this compromise, they've got a feature of recover that many don't like it and shoudn't really be considered. Too many attacks and controversy has happened with Ledger and that sucks.

Quote from: pawanjain on December 14, 2023, 12:59:40 PM

Are other hardware wallet companies like Trezor very good at their side ?

I'm thinking of taking a Blockstream hardware wallet named Jade but I am still gathering reviews about it.

o48o

legendary

Activity: 2856

Merit: 1130

Leading Crypto Sports Betting & Casino Platform

Quote from: m2017 on December 14, 2023, 11:25:11 AM

Would you like a little dose of conspiracy theory?

After this compromise, Ledger will definitely release new firmware for their devices (they can’t help but do this), into which you can integrate any program code directed against the interests of ledger owners (like even more tracking and obtaining personal data or even gaining complete control over their means).

Horror story (they could have pulled this off a long time ago).

But seriously, what can I say. Ledger screwed up again. Happens. I mean, it has happened more than once. We weren't surprised at all. I wonder what the next fakap will be?

I honestly wonder why wouldn't they be liable for losses. They are a private company making money, and only reason they exist is because people trust their product safety.
I am sure that there are some disclaimers for something like this in their small print but i don't think that would legally cover for losses that happens because of exploit of their product.

Sure, everyone is responsible for their own money in crypto, but i think this goes to gray area on liability. I guess we have to wait and see. Anyway, this was bad news.

digaran

copper member

Activity: 1330

Merit: 899

🖤😏

It seems those developers are incompetent, that's why you should stay away from garbage such as dapp, you can't just go and develop something like this which involves money after being grounded by your parents, unfortunately they do that and people follow and use their apps blindly.

PrivacyG

hero member

Activity: 756

Merit: 1723

Crypto Swap Exchange

This sucks. Newbies purchase Shit Coins and they end up getting scammed in the most innocent way. They sign a Contract they can not understand anyway and they end up having their Wallets cleared. Then they buy a Ledger and guess what. Ledger is not as secure as it seems.

Altcoins nowadays seem like a one click disaster. You sign the wrong Contract which is unreadable in the first place and poof goes your money.

I am waiting for the day some body finds a backdoor to read Seeds out of Ledgers. At this point this is inevitable and would be nothing new for Ledgers customers.

Z-tight

hero member

Activity: 826

Merit: 1010

Only BTC

Quote from: pawanjain on December 14, 2023, 12:59:40 PM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

This should not affect or influence your decision of buying a hardware wallet, i hope you were not considering purchasing a Ledger hardware wallet, because it is not recommended, and even if they didn't have a problem with their connector library, they are still not recommended because of past issues, like ledger recover for example.

Look for recommended hardware wallets, passport is a good one, or set up your own airgapped wallet if you have the knowledge to do it.

Zaguru12

hero member

Activity: 672

Merit: 855

Quote from: pawanjain on December 14, 2023, 12:59:40 PM

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

Since they started that there seed phrase storage saga, I think they have been compromised atleast two times, although this doesn’t affect anything much except those that interact with DApps but still this continuous breach can be seen as negligence and as the popular saying goes fool me once, shame on you. Fool me twice, shame on me. So I will advise you a little change of hardware wallets, Trezor hardly get into news like the way ledger devices does, but there are also other good hardware wallets like passport.

Better still if you have two devices, one which is still airgapped then I will say you should consider setting up a cold wallet with wallets like electrum.

pawanjain

hero member

Activity: 2646

Merit: 713

Nothing lasts forever

Just when I thought of buying a hardware wallet this happened and now I am reconsidering it.
Ledger is facing such attacks quite frequently now. It's not good for a company like Ledger to have such security flaws.
I wonder why is only Ledger facing such attacks. Are other hardware wallet companies like Trezor very good at their side ?

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: btc_penguin on December 14, 2023, 10:06:47 AM

Anyone knows whether Electrum uses the library as well?

No it does not, because it does not even support dApps.

BitMaxz

legendary

Activity: 3234

Merit: 2943

Block halving is coming.

Quote from: Z-tight on December 14, 2023, 11:45:20 AM

Quote from: btc_penguin on December 14, 2023, 10:06:47 AM

Anyone knows whether Electrum uses the library as well?

This is about Ledger and their connector library, i do not know too much about Dapps and how some of them use ledger's connector library, but this has nothing to do with Electrum, even if you have your Electrum connected to your Ledger wallet, just make sure you're running your own node for better privacy and security. Ledger isn't a recommended hardware wallet, so people should not even be using this hardware wallet in the first place.

Yes, Electrum shouldn't be affected by this vulnerability because Electrum doesn't use a ledger connect kit.

@btc_penguin If you don't feel safe there is a way to make a transaction on Electrum safe you just need two devices to make an unsign transaction from the online device and transfer the .psbt file to the offline device to sign it with your ledger offline. All ledger users should do this if they want to avoid any online attacks/vulnerabilities.

cygan

legendary

Activity: 3122

Merit: 7618

Cashback 15%

as Metamask announces, this affects not only Ledger users but everyone who uses dapps. at the same time, Metamask has deployed a fix for its users:

https://nitter.net/MetaMask/status/1735318141285085513

and according to this tweet you can see very well how the malicious 'connect wallet' popup menu opens over the original and offers the user various options:

https://nitter.net/apoorvlathey/status/1735281719216071019

Z-tight

hero member

Activity: 826

Merit: 1010

Only BTC

Quote from: btc_penguin on December 14, 2023, 10:06:47 AM

Anyone knows whether Electrum uses the library as well?

This is about Ledger and their connector library, i do not know too much about Dapps and how some of them use ledger's connector library, but this has nothing to do with Electrum, even if you have your Electrum connected to your Ledger wallet, just make sure you're running your own node for better privacy and security. Ledger isn't a recommended hardware wallet, so people should not even be using this hardware wallet in the first place.

so98nn

hero member

Activity: 2072

Merit: 603

Thanks for the heads up.

What is the protocol here? Should I control my urge to connect the ledger to a PC and the internet now? My soul purpose for having a Ledger is to store my coins for a very long duration and I rarely connect my Ledger and go live. I have had terrible experiences in the past so I am either not connecting it every day or just rarely synch the new balances, check the updates, and bug fixes only.

Though the news only states we should not be connecting to dApps, what happens if I just connect it normally synch with the network? Because I know if I connect and if there are any updates for let us say wallets of different coins then it will start auto downloainf it. I just don't want to get involve with any of the mess right now when the balance is loaded.

m2017

legendary

Activity: 1792

Merit: 1296

keep walking, Johnnie

Would you like a little dose of conspiracy theory?

After this compromise, Ledger will definitely release new firmware for their devices (they can’t help but do this), into which you can integrate any program code directed against the interests of ledger owners (like even more tracking and obtaining personal data or even gaining complete control over their means).

Horror story (they could have pulled this off a long time ago).

But seriously, what can I say. Ledger screwed up again. Happens. I mean, it has happened more than once. We weren't surprised at all. I wonder what the next fakap will be?

cheezcarls

hero member

Activity: 2254

Merit: 658

Revolutionized copy gaming platform

Most of the important assets are in my Ledger, but I’ve never connect it to Dapps as it’s only treated for long term storage. These hackers are getting smarter overtime, so DeFi and Web3 are still young and has long ways to go because of one of their major weakness which is the cybersecurity side.

On top of that, I have disconnected my burner Metamask wallet in all of the sites that I have interacted.

It looks like that the wallets implementing the traditional seed phrase and private key model are the most vulnerable of all and are targeted by the hackers whether if it’s cold or hot non-custodial type.

KiaKia

sr. member

Activity: 658

Merit: 384

It just get to my notice right now, and I already created another topic, this is so messed up with Ledger, I am glad that I am not using the Nano that was sent to me by a friend as a gift, I just don't feel safe using the wallet.

I think the best solution is to avoid connecting your hardware wallet to anything, if you want to sell, send from your hardware wallet to a hot wallet first and use the hot wallet to connect to anything, correct me if I am wrong? I believe this is even a good advice for all hardware wallet users.

As those who are trapped use their ledger to connect, I don't do this even while I am using a air gapped hardware wallet.

gunhell16

sr. member

Activity: 1666

Merit: 453

That's worrying, I even ordered a hardware wallet and I'm just waiting for it to arrive, really the exploitative person will do anything when there is an opportunity to attack other people to steal.

I hope it can be resolved properly and they can innovate more securely without disturbing the HW holders in these situations we have today. How many times have these issues happened? Wasn't there something before in the ledger too, right?

SquirrelJulietGarden

hero member

Activity: 1260

Merit: 723

Quote from: nelson4lov on December 14, 2023, 10:00:22 AM

The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.

dApps and smart contracts are not smart all all as they can be exploited by scammers.

I don't want to touch them too much and if I use dApp and smart contract with interactions, I will create a new wallet with small fund for it. If anyone use only one wallet, store all fund there but are ready to explore around new platforms, dApps, smart contracts, such interactions are risky and drain all money in that wallet.

I don't mind about Ledger and the advice is general for practice with fund, wallet and any interaction that can steal your money.

rhomelmabini

hero member

Activity: 2002

Merit: 578

Quote from: criptoevangelista on December 14, 2023, 10:01:24 AM

Quote from: rhomelmabini on December 14, 2023, 09:56:28 AM

Quote from: nelson4lov on December 14, 2023, 09:48:42 AM

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

I would switch to a secure wallet so I don't have to worry about this anymore.

The drainer doesn't come from the signing message but was on the WalletConnect modal and the drainer was faking that popup modal with different appearance during the dApp connection phase. I already identify that during my interaction with revoke.cash they already made the site offline but I'm still being vigilant for further announcement.

Not necessarily I would switch considering there has been some staked assets on my wallet and the advisory that no interaction yet on any dApps means I won't be able to get them out as well. Still monitoring the incident and glad we have huge helpful community not just here but on Twitter/X as well.

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: Kryptowerk on December 14, 2023, 10:04:26 AM

Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?

No tokens or core Ethereum protocol was affected. The Ledger ConnectKit Library is a common Library that is usually used for connecting wallets in order to interact with Dapps (staking, swapping, Money markets, etc). Being compromised means any user that connects to any decentralized application via a "connect wallet" kit is likely to get drained since there is malicious drainer embedded in the library being used.

This is a case of a library being popularly used in frontends getting compromised.

btc_penguin

newbie

Activity: 3

Merit: 0

Anyone knows whether Electrum uses the library as well?

Kryptowerk

legendary

Activity: 2030

Merit: 1401

Disobey.

Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?

criptoevangelista

full member

Activity: 238

Merit: 494

Siga sempre em frente! always move forward!

Quote from: rhomelmabini on December 14, 2023, 09:56:28 AM

Quote from: nelson4lov on December 14, 2023, 09:48:42 AM

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

I would switch to a secure wallet so I don't have to worry about this anymore.

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: OmegaStarScream on December 14, 2023, 09:56:46 AM

What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary? I don't believe I have seen many sites using that lately?

The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.

OmegaStarScream

staff

Activity: 3402

Merit: 6065

What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary? I don't believe I have seen many sites using that lately?

rhomelmabini

hero member

Activity: 2002

Merit: 578

Quote from: nelson4lov on December 14, 2023, 09:48:42 AM

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

criptoevangelista

full member

Activity: 238

Merit: 494

Siga sempre em frente! always move forward!

The important thing now is not to interact with absolutely anything on chain until the problems are resolved.

again problems with the ledger. I use a ledger nano X and from now on I will consider getting a new hardwallet.

rhomelmabini

hero member

Activity: 2002

Merit: 578

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Apparently, Ledger is in the news again for the wrong reasons.

At first, SuchiSwap CTO (one of the leading DEXs) made a tweet about the suspected vulnerability.

The primary issue is that the Ledger ConnectKit NPM package Library that is used across majority of decentralized applications was updated few hours ago with malicious code (drainer):

How come?

It looks like the NPM key was leaked via a github action which means Anyone can invoke the action via a PR on Ledger's GitHub Orgs, then leak that key by crafting a malicious package.json.

Right now, any user interacting with any and all Dapps could potentially be exposed to the vulnerability and end up losing all funds to drainers. According to my research so far, it doesn't include users who are just using Ledger for day-to-day transfers with no interactions and prior interactions before the vulnerability was disclosed appears to good.

Side note: This only shows how poorly the Ledger team takes security and their continued negligence of the security of their products and services.

Update #1: Ledger has confirmed the vulnerability report:

Quote

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and Ledger Live were not compromised.

Topic: IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. (Read 523 times)