Popular hardware wallet manufacturer Ledger have advised users not to connect to dApps for the next 24 hours after pushing an urgent fix to rectify a compromised version of their Ledger Connect Kit library.

This library – which is used by the likes MetaMask, Coinbase, Lido and others to connect their services to hardware wallets – was compromised following a phishing attack on an ex-Ledger employee, with the hacker publishing a malicious file that drained users wallets.

A secure version of Ledger Connect Kit has now been distributed to users automatically, with Ledger publishing a timeline of events and their initial investigation.

When was the threat identified and fixed?

The threat was publicly identified by Matthew Lilley, CTO of decentralised exchange Sushi (formerly SushiSwap), at 12:30pm GMT today.

In a now-deleted tweet, MetaMask announced they’d pushed an update to their service to protect their users shortly thereafter, with a host of other web3 services announcing whether or not they were affected.

Ledger announced a fix at 1:35pm GMT and published a timeline of events at 3:49pm GMT, stating that they’d deployed a fix within 40 minutes of becoming aware of the issue, and that although the malicious file was live for around 5 hours, “the window where funds were drained was limited to a period of less than two hours.”

How can I protect my assets?

If you use a Ledger hardware wallet, or any of the popular services which use Ledger Connect Kit (including MetaMask, Coinbase, Lido and others), as per Ledger’s recommendation, do not connect to or use any dApps for the next 24 hours.

Many of the most popular web3 services have published statements as to whether they are or are not affected. If you have any concerns, check the most recent information from the services you use prior to connecting your wallet.

To help prevent future attacks, Ledger have advised using Clear Signing – their simple-language transaction signing method – wherever possible, and to “use an additional Ledger mint wallet” if you need to Blind Sign any transactions.

Ledger have stated they are “actively talking with customers whose funds might have been affected”, and will work proactively to “help those individuals at this time.”

Want more? Connect with NFT Plazas

Join the Weekly Newsletter
Follow us on Twitter
Like us on Facebook
Follow us on Instagram

*All investment/financial opinions expressed by NFT Plazas are from the personal research and experience of our site moderators and are intended as educational material only. Individuals are required to fully research any product prior to making any kind of investment.



nftplazas.com

Previous articleClimactic launches first fund as its partners eye looming M&A boom in climate tech
Next articleOpenAI thinks superhuman AI is coming — and wants to build tools to control it