Ledger has begun to improve its security measures, but this incident poses potential threats for the Ethereum Virtual Machine ecosystem. The decentralized OKX exchange also suffered an attack earlier in the week that was possibly related to a leak of private keys, which caused damages worth around $2.7 Million. Both cases are still under investigation.
Hackers’ Next Target is Ledger
A Ledger breach of security compromised multiple Ethereum-based apps including Zapper SushiSwap Phantom Balancer Revoke.cash and Revoke.cash. Ledger’s CEO and chairman Pascal Gauthier recently addressed the security breach which occurred on December 14, assuring his customers that it was an isolated incident. Gauthier said that Ledger is also working closely with the law to identify the culprit and ensure justice.
Gauthier claims that the hack was possible due to an ex-employee falling victim to a scam. In the code that was hacked, it appears to have been left with the employee’s name.
Ledger, in light of its recent security breach is actively strengthening its infrastructure. Gauthier has announced that he plans to strengthen security controls. This includes connecting the build pipeline of the company to ensure strict security for the software supply chain in the NPM channel.
The entire EVM Ecosystem could be affected
Linea, an independent zero-knowledge project associated with ConsenSys, has noted that the recent security breach affecting Ledger’s connector library may have broader impacts on the Ethereum Virtual Machine ecosystem. The attacker focused specifically on the Ledger Connector Library, a critical component that facilitates communication between Ledger Hardware Wallets and a wide variety of DApps.
MetaMask, one of the most popular crypto wallet providers in the world, was also affected by this incident. MetaMask responded quickly to the problem by issuing an update for MetaMask portfolio. Users are advised to use the Blockaid function within the MetaMask extension before completing any MetaMask portfolio transactions.
Ledger heavily relies on its connector libraries to allow interactions between Ledger Hardware and DApps. This library’s compromise could have a significant impact on a large number of EVM transactions and users.
In the process, certain Web3 applications were upgraded, resulting in malicious code being accidentally distributed to web browsers of their users. The attackers were able to steal at least $484,000.000 from users who used these applications.
Hakal Unal, a Blockchain Analyst, as well as Cyvers CEO Deddy Lavid and Chief Technology Officer Meir dolev provided additional insight on the potential attack mechanics. Their analysis suggests that an attacker used malicious code to display misleading transaction data in wallets to trick users into authorizing unintended payments.
The attacker could have manipulated the transaction sent to a user’s wallet by inserting malicious code into the Ledger Connect Kit. Users often have to approve token contracts when using an app. This allows the app to use tokens in their wallet.
It is possible that the malicious code caused the wallet of the user to show a token request with an attacker’s email address, instead of one from the app. It could also have displayed a complicated confirmation dialog containing code that led users to click on “confirm”, without understanding the full transaction details.
The blockchain data confirms these suspicions. It shows that the victims gave token approvals for the malicious contract in large amounts. For example, in a single transaction, the attacker drained over $10,000 from the Ethereum address 0xAE49C1ad3cf1654C1B22a6Ee38dD5Bc4ae08fEF7. Transaction logs reveal that the malicious contract was able to spend a large amount USDC.
OKX Dex also Hacked
SlowMist, a blockchain security company, reported that an exploit had impacted OKX, a decentralized exchange. This exploit is believed to have originated from a leak of a private keys that were exploited by a smart contract that has been deprecated.
OKX acknowledged the exploit, and has announced that it will reimburse affected users. This exploit has caused an estimated $2.7 million in damage, but this number may rise as investigations continue. Platform has revealed they’re working with authorities to track down and recover stolen funds.
After the attack, Arkham Analytics (a blockchain-based analytics company) launched an Intel Exchange Bounty. The bounty is a reward for anyone who helps find the individual or group responsible for the attack. Arkham claims that the same hacker group or individual may be responsible for recent exploits of platforms such as LunaFi, Uno Re and RVLT. However, specific information about their involvement is still limited. Arkham’s bounty is about 5,000 ArkM which is roughly equivalent to $2250.