Posted on

Ledger Commits To Full Restitution For Victims Of $600,000 ConnectKit Attack

Hardware wallet manufacturer Ledger has responded to a recent security breach resulting in the theft of $600,000 worth of user assets. 

The company has pledged to enhance its security protocols by eliminating Blind Signing, a process where transactions are displayed in code rather than plain language, by June 2024.

Ledger Takes Responsibility For ConnectKit Attack

In a statement, Ledger emphasized its focus on addressing the recent security incident and preventing similar occurrences in the future. 

The company acknowledged the approximately $600,000 in assets that were impacted by the ConnectKit attack, particularly affecting users blind signing on Ethereum Virtual Machine (EVM) decentralized applications (dApps). 

Furthermore, Ledger pledged to make sure affected victims are fully compensated, including non-Ledger customers, with CEO & Chairman Pascal Gauthier personally overseeing the restitution process. 

According to the statement, Ledger has already initiated contact with affected users and is actively working with them to resolve their specific cases.

In addition, by June 2024, blind signing will no longer be supported on Ledger devices, contributing to a “new standard of user protection” and advocating for “Clear Signing,” which refers to a process that allows users to verify transactions on their Ledger devices before signing them across dApps.

On this matter, Ledger’s CEO Pascal Gauthier stated

My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.

Heightened dApp Security Measures

According to an incident report released by the hardware wallet manufacturer, the attack exploited the Ledger Connect Kit, injecting malicious code into dApps utilizing the kit. 

This malicious code redirected assets to the attacker’s wallets, tricking EVM dApp users into “unknowingly signing transactions” that drained their wallets. 

Ledger addressed the attack by deploying a genuine fix for the Connect Kit within 40 minutes of detection. The compromised code remained accessible for a limited time due to the nature of content delivery networks (CDNs) and caching mechanisms.

Ledger acknowledged the risks faced by the entire industry in safeguarding users and emphasized the need to continually raise the bar for security in dApps. 

The company plans to strengthen its access controls, conduct audits of internal and external tools, reinforce code signing, and improve infrastructure monitoring and alerting systems. 

Additionally, Ledger will educate users on the importance of Clear Signing and the potential risks associated with blind signing transactions without a secure display.

Notably, with Clear Signing, users are presented with a clear and readable representation of the transaction details, enabling them to review and validate the transaction before providing their signature. 

This added layer of transparency and verification helps users mitigate the risks associated with front-end attacks or malicious code injected into decentralized applications

Ledger

Featured image from Shutterstock, chart from TradingView.com

Posted on

BREAKING: Sushi DeFi Security Breach: CTO Sounds Alarm, SUSHI Price Drops 4%

In a significant blow to the decentralized finance (DeFi) sector, the Sushi DeFi protocol has fallen victim to its second exploit this year.

The protocol’s Chief Technology Officer (CTO), Matthew Lilley, has issued a stark warning to users, advising them to refrain from using any decentralized applications (dApps) until further notice.

Sushi And Zapper Frontends Compromised

The latest breach has prompted concerns about the security and integrity of the Sushi DeFi protocol and other associated dApps. According to Lilley, a widely-used web3 connector has been compromised, allowing malicious code injection that affects numerous dApps. 

Specifically, dApps that use the LedgerHQ/connect-kit, a dApp that allows users to connect other dApps to their Ledger hardware wallets, are considered vulnerable. Notably, Lilley’s warning underscores the severity of the situation, emphasizing that this is not an isolated attack, but a large-scale assault targeting multiple dApps.

Further investigation by security experts has revealed a potential supply chain attack on the ledger connect kit. The attacker allegedly successfully injected a wallet-draining payload into the popular Node Package Manager (NPM), impacting several prominent dApps, including Hey and others. 

Additionally, it has been discovered that the Zapper and Sushi frontends have been hijacked, exacerbating the scope of the breach.

Slowmist, a module of Ledger, further confirmed that their system was hijacked and tampered with during the supply chain attack. This compromised the integrity of the ledgerhq/connect-kit library, which is relied upon by many dApps. 

As a result, users are urged to exercise caution when conducting any dApp-related operations and to scrutinize requests for wallet information that may appear unexpected.

Malicious Connect Kit Neutralized? 

In an official statement, Ledger has confirmed the identification and removal of a malicious version of the Ledger Connect Kit. The company assures users that their Ledger devices and Ledger Live remain uncompromised. 

The company stated that a genuine version of the Connect Kit is currently being pushed to replace the malicious file. Ledger advises users to refrain from interacting with any dApps at the moment for their safety. 

The company pledges to provide updates as the situation develops, ensuring users stay informed about the ongoing efforts to address the security breach.

SUSHI’s Uptrend Threatened By Exploit Fallout

In light of recent events affecting the Sushi DeFi protocol, its native token, SUSHI, has experienced a decline of over 4% within the past hour, reaching a low of $1.590. 

Sushi

Before the exploit, SUSHI had been exhibiting a notable uptrend structure on its 1-day chart, marked by higher highs and higher lows. However, with the loss of its crucial support level at $1.961, there is a potential invalidation of the previously established uptrend. 

The uncertainty surrounding the protocol’s native token raises the possibility of further downside in SUSHI’s price action. If a sustained downtrend continues, the next significant support level for SUSHI is located at $1.084. 

Featured image from Shutterstock, chart from TradingView.com 

Posted on

Cardano (ADA) Launches Connector For DApps Integration

Cardano (ADA) continues to move further in its smart contracts integration on its blockchain. Cardano announced about a week ago that it had successfully completed the long-awaited Alonzo White Hard Fork. And with this, the project was moving on to the next phase of the integration.

Smart contracts on the Cardano network will allow developers to build decentralized finance (DeFi), NFTs, decentralized identity (DID), and countless other things not the network. This is why the move to smart contracts support is very important for the network.

Related Reading | Cardano (ADA) And Dogecoin (DOGE) Record Highest Gains As Crypto Market Surges

Continuing on down this road, Cardano has now launched a connector for DApps integration on the network using its Yoroi Wallet. Yoroi Wallet comes from the commercial arm and solutions provider of the Cardano Ecosystem known as EMURGO.

The Beta version of the connector was announced four months ago via a press release on the EMURGO website. This was in an effort to make a way for Cardano (ADA) and Ergo (ERG) users to be able to make DApp transactions on the blockchain with no problems.

Related Reading | Cardano (ADA) Demand Rises Amongst Retail And Institutional Investors, Why This Is Happening

The connector provides more incentives for DeFi developers to build solutions and services on the blockchains. And with Yoroi Wallet, seamlessly transfer between both networks. After months of Beta testing, Yoroi Wallet has announced that the App connector is now available for users on the blockchain.

The connector will increase adoption worldwide on the network. Bringing more and more people into the decentralized global operating system that was made for a user base that spans around the globe.

A @YoroiWallet dApp connector will allow interactions between users and blockchain-based dApps on the Cardano blockchain.

We are excited for you to read our new blog on our upcoming release and what it means for our users and the Cardano ecosystem! https://t.co/GvqpE03xxo pic.twitter.com/waSYMjHFm8

— Yoroi Wallet (@YoroiWallet) July 29, 2021

Functions Of Cardano’s Yoroi Wallet Connector

The Yoroi Wallet connector provides a much-needed bridge between users and blockchain-based decentralized apps (DApps) to enable them to access the services they require. The DApp connector will allow users to carry out activities permitted by the DApp that they are currently accessing.

Related Reading | Cardano (ADA) Launches Crypto Charity Platform With Rwanda-Based NGO

These activities include the buying and selling of tokens, getting access to resources provides by that DApp, and/or accessing features offered by the DApp.

The bridge provided by the Yoroi Wallet connector also permits the validation of owners of specific assets. Also allowing executions for transactions for the DApp, a functionality that would bring access to things like NFTs.

ADA price currently trending around $1.25 | Source: ADAUSD on TradingView.com

More importantly, is the fact that the Yoroi Wallet connector will act as the communication medium between the Cardano blockchain and smart contracts once the network is able to support them.

Users can get access to the connector by simply adding it as a plugin on their preferred browser of choice. From there, they can access whatever features they wish to use.

Featured image from NewsBeezer, chart from TradingView.com