The world of decentralized finance (DeFi) has been on high alert after the warning issued by Matthew Lilley, CTO of SushiSwap, regarding a possible vulnerability in dApps due to a compromised web3 connector. Just minutes ago, Ledger acknowledged the vulnerability and fixed the problem, although it is still unknown how much has been drained from the various affected decentralized applications.
This alert generated concern among users and leaders of the DeFi ecosystem, sowing uncertainty about security on multiple platforms.
Ledger, known for its hardware wallets, has also issued a crucial statemen.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
The company identified and removed a malicious version of its connection kit, responding to security concerns.
In a tweet, they announced that they are deploying a genuine version to replace the compromised file, providing relief to concerned users.
Ledger also recommended users to refrain from interacting with any dApp for the time being as preventive measure while they work on the complete solution.
However, they reassured users by stating that their Ledger and Ledger Live devices were not compromised by this incident, providing some security to those who trust these hardware wallets to protect their digital assets.
In a recent announcement, Metamask also claimed to have been affected by the hack and urged its users to upgrade to the latest version in order to operate with no problems.
📢🦊 Update: The recent hack affects all users, not just @Ledger users.
We’ve deployed a fix for MetaMask Portfolio. Users on the latest version v2.121.0 will be able to transact again & will be updated automatically. If you’re not on this version, please refresh your site data. pic.twitter.com/QzV1vcwTtT
— MetaMask 🦊🫰 (@MetaMask) December 14, 2023
This quick action by Ledger comes after the warning issued by Sushiswap’s Lilley
The CTO of SushiSwap alerted users about the possible risk of malicious code injection into numerous dApps through a compromised web3 connector.
🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
The suspicious code was mentioned to have come from Ledger’s GitHub page, sparking broader concern in the DeFi community.
Ledger’s immediate reaction in identifying and removing the compromised version reinforces its commitment to user security.
This move coincides with the DeFi industry’s efforts to safeguard user funds and restore trust in an evolving ecosystem.
Despite the actions taken by Ledger, it is essential that users continue to be cautious and follow the security recommendations issued by DeFi service providers, as the full resolution of this situation is still in progress.
