Sushi’s Chief Technology Officer raised concerns about a widespread exploit impacting decentralised finance (DeFi) as a front-end exploit targeted Ledger’s Connect Kit.
Ledger, a hardware wallet manufacturer, provides the Connect Kit used by DeFi protocols like Lido, Metamask, Coinbase, and Sushi to connect decentralised applications (dApps) to their products. The exploit involves compromising the front end of a website or application, allowing hackers to manipulate user interfaces and trick users into sending funds to the attackers. Sushi’s CTO urged users to refrain from interacting with any dApps due to the compromise of a commonly used web3 connector.
“Do not interact with ANY dApps until further notice,” Sushi CTO Matthew Lilley wrote on X. “It appears that a commonly used web3 connector has been compromised, which allows for injection of malicious code affecting numerous dApps.”
Five hours after the cyber attack, Ledger published a post-mortem on X (Twitter), revealing a former employee’s phishing attack that allowed the injection of malicious code into the Connect Kit. Tether froze the hacker’s wallet, and Ledger advised users not to interact with dApps until further notice.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023
“We’ve identified a critical issue the ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps,” Sushi wrote in a statement. “If you have the Sushi page open and see an unexpected ‘Connect Wallet’ pop-up, DO NOT interact or connect your wallet.”