Zapper, SushiSwap, and Balancer Affected by Attack on Ledger Connect Kit

A social engineering attack targeted a former Ledger employee whose access to the project had not been revoked, ultimately leading to the breach that affected numerous dApps.

Wallets connected to a computer
The hacker behind the Ledger breach left a message in the malicious script, expressing gratitude to Inferno, possibly referring to the notorious Inferno Drainer.

Yesterday, Ledger, a leading manufacturer of hardware and cold wallets for storing cryptocurrencies, fell victim to a hacker who targeted the Connect Kit. The exploit of the Connect Kit, the component that allows users to connect their hardware wallets to DApps, subsequently affected the performance of the front-end interfaces of numerous connected applications. This included Balancer, the DeFi protocol for liquidity pools, the SushiSwap DEX, and the DeFi asset management protocol Zapper.

According to the cybersecurity firm SlowMist, user g4sarah, who observed abnormal behavior in the front-end interfaces of Zapper and (a tool designed for token approval management), was one of the first to report the issue.

Read also: Wallet Registration on Replit Potentially Causes Mnemonic Phrase Exposure

“Both modals open, the fake one and web3modal v3 which is the fake and drainer wallet,” g4sarah wrote, likely referring to the simultaneous opening of two modal (popup) windows. The fake modal was likely designed to mimic or imitate a legitimate web3modal v3 (a version of a web3 modal), while the other one was the actual web3modal v3.

In less than an hour after users reported strange front-end behavior on popular DApps, Sushi’s Chief Technical Officer Matthew Lilley posted a warning on the X platform, recommending "not to interact with any dApp until further notice." According to Lilley, "A commonly used Web3 connector (a specific JavaScript library, part of the web3-react project) is suspected to have been compromised, allowing the injection of malicious code affecting numerous DApps," while Ledger could have contained a malicious script.

This assumption was soon confirmed by Ledger itself. "We have identified and removed a malicious version of the Ledger Connect Kit," its team posted on X, adding that it was working on replacing the malicious file with a genuine version of the connect kit. The Ledger team highly recommended not to interact with any DApps, emphasizing that "the Ledger device and Ledger Live were not compromised."

Meanwhile, many other apps issued reminders of the exploit, temporarily shutting down their platforms. and MetaMask were among them, whereas Kyber Network disabled its front-end UI as a precaution.

Read also: SlowMist’s Top DeFi Research: "The Basic Security Risks Are Severe"

As mentioned above, the Ledger wallets were supposedly unaffected by the hack; however, numerous dApps using the Ledger Connect Kit were impacted, making "the scope of the impact significant," as per SlowMist. At the same time, the effect of the exploit can be rather serious as it gives the attackers the same level of permissions to execute arbitrary code as the permissions the applications using the library have, providing them with a high degree of control over these applications.

The initiation of unauthorized transfers of cryptocurrency to drain users’ funds and the massive distribution of phishing links are some of the ways the malicious actor can profit from this type of attack. In addition to this, the hacker can exploit community panic, convincing users to transfer their assets to a new address, for instance, under the guise of necessary security measures. Furthermore, the criminal can also utilize the extended permissions to trick users into downloading and using fake wallet applications.

SlowMist's code analysis
Source: SlowMist, Medium

It has already been officially confirmed that the exploit was enabled by a premeditated social engineering phishing attack on a former Ledger employee's NPMJS account, who had not had the access rights revoked.

By abusing these rights, the hacker was able to replace the normal window logic with a Drainer class by inserting malicious JavaScript code in versions 1.1.5, 1.1.6, and 1.1.7 of the Ledger Connect Kit, which led to the creation of a fake DrainerPopup popup. Moreover, cryptocurrency users of the affected dApps were targeted by subsequent phishing attacks through the Content Delivery Network (CDN).

Finally, with the help of a malicious WalletConnect, the criminal has managed to redirect at least $600,000 to their address.

Unfortunately for the former Ledger employee, whose account was compromised, their name has already been spread on the X platform in the investigative posts, confusing the community as many X users believed the victim of the social engineering attack could have been the attacker themselves.

Interestingly, the attacker has left several comments in the malicious script it has inserted into the Ledger Connect Kit, including "Thank you, Inferno! <3," possibly referring to the notorious Inferno Drainer. Although Inferno Drainer was officially closed by its deployers in November, there were many other scam vendors, including Angel Drainer, at the time of publication.

Message left by hacker
Source: SlowMist, Medium

The Ledger team has already solved this issue, but it reminds its customers "to always clear sign with the Ledger,'" explaining that "What you see on the Ledger screen is what you actually sign." The team adds "If you still need to blind sign, use an additional Ledger mint wallet or parse your transaction manually."

The fact that the former Ledger employee still had access to the Ledger code repository sparked a lot of criticism in the crypto community. Many crypto users emphasized on X that "this [revoking access] is one of the most basic security procedures."

Additionally, many X users suggested that making the GitHub open-source could have notified many Ledger users before their funds were drained. However, other members of the community stressed that the issue lies in the ability of an individual Ledger developer to publish code changes without verification from teammates.

Earlier this week, SlowMist shared the results of its research focused on basic security risks in the top DeFi projects listed on DefiLlama, where the cybersecurity experts identified serious issues such as neglecting the use of CDNs, exposing IP addresses, or improper DNSSEC (Domain Name System Security Extensions) configurations.

Increased vulnerability to Distributed Denial of Service (DDoS) attacks and other types of hacks, a greater risk of doxing (stealing and publishing victims' sensitive information), DNS spoofing, and cache poisoning facilitating phishing scams, as well as weakened authentication, are just some of the possible consequences of having the security vulnerabilities detected by SlowMist.

The cybersecurity team emphasizes that the security of smart contracts, albeit critical for DeFi applications, is only one of the necessary measures. The recent incident affecting Ledger users has illustrated the significant impact of basic security threats, including negligence of effective employee privilege management.