Connect Kit Exploit Sparks Criticism of Ledger’s Security Framework

Celý článek

On Dec. 14, 2023, Ledger’s Connect Kit, a Javascript library for wallet connectivity, suffered a significant exploit. This incident, which was contained within two hours, has brought forth a number of criticisms of Ledger’s security practices.

Ledger Exploit Elicits Mixed Reactions From Crypto Sphere; Dapps and Tether Respond Promptly to Breach

Ledger, known for its crypto security solutions and hardware wallet manufacturing, faced an exploit in its Ledger Connect Kit, a Javascript tool used to connect websites to wallets. The breach, which lasted less than two hours, did not impact Ledger’s hardware or Ledger Live but was confined to third-party decentralized applications (dapps) using the Connect Kit. However, this has raised questions about Ledger’s software security protocols.

Jameson Lopp, a prominent figure in the crypto community and CTO of the bitcoin security provider Casa, pointed out three critical failures at Ledger: “Blindly loading code without pinning a specific version and checksum, not enforcing ‘2 man rules’ around code review and deployment, and not revoking former employee access.”

These lapses in security protocol allowed the exploit to occur when a phishing attack on a former employee led to the introduction of malicious code into Ledger’s NPMJS. Lefteris Karapetsas also criticized Ledger’s approach, exclaiming, “Are you guys insane? Why would you build the most security-conscious library in the world to ‘load from CDN’ for convenience without having users to wait for dapps to update?”

Cryptofinally, another industry commentator, expressed disbelief at the nature of the breach: “Imagine being smart enough to exploit the entire ledger to dapp interface, and then leave your full name in the code, leading to your Twitter account that says, ex-ledger employee.”

In response to the exploit, Ledger CEO Pascal Gauthier acknowledged the breach and outlined steps for enhanced security measures. Gauthier stated, “This was an unfortunate isolated incident. It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes.” Ledger plans to implement stronger controls, especially in software supply chain security, to avert similar future incidents.

The company has engaged with law enforcement and cybersecurity experts to track the stolen assets and is working with affected users. “We deeply regret the events that unfolded today for affected individuals,” Gauthier said. Ledger insists the incident has been contained, and Ledger assured the crypto community that the threat has been mitigated. A full timeline of the incident and response efforts was also shared alongside Gauthier’s statements.

In the wake of the Ledger exploit, various dapps and crypto firms took immediate action to mitigate the impact. Several protocols and companies disabled their front-end user interfaces as a precaution. Projects that took action include Lido, Sushi, Balancer, Revokecash, Zapper, and the non-fungible token (NFT) marketplace Opensea. Tether CEO Paolo Ardoino also notified the crypto community that the stablecoin firm froze the Ledger exploiter address.

Arkham Intelligence announced a bounty for identifying those behind the Ledger Library Drainer Exploit. The exploit, linked to “Angel Drainer,” resulted in a loss of over $500K from multiple dapps. Arkham stated that rewards include revealing Angel Drainer’s identity, fund recovery leads, and information on post-incident KYC exchange deposits by Angel Drainer. Arkham offered a similar bounty after the Okx Dex incident which saw the loss of $2.7 million.

What do you think about the recent Ledger exploit and the criticism? Share your thoughts and opinions about this subject in the comments section below.