Hardware wallet manufacturer Ledger recently discovered a malicious version of its Connect Kit, which has prompted a warning to users against connecting to decentralized applications (dapps). With this article, we will go into the details of the incident, highlighting the potential risks and providing insights from industry experts. Let’s get into it!

Malicious Version Identified

Ledger has identified and removed a malicious version of its Connect Kit, a library that facilitates the interaction between Ledger hardware wallets and dapps. Users are advised not to engage with any dapps until the situation is resolved. Ledger assures users that its devices and Ledger Live app remain uncompromised, and they will provide updates as the situation evolves.


Impact on Dapps

Developers on Twitter initially reported the compromised version of the Connect Kit. Web3 security firm BlockAid confirmed that dapps using versions 1.1.4 and above of Ledger’s Connect Kit, including Sushi.com and Hey.xyz, were affected. The attacker injected a wallet-draining payload into the compromised library, posing a significant risk to users’ funds.

Criticism and Recommendations

SushiSwap CTO Matthew Lilley criticized Ledger for the security breach, emphasizing the need for dapp teams to confirm mitigation measures before resuming usage. Ethereum core developer liaison Hudson Jameson highlighted the risks of using dapps without understanding the backend libraries they rely on. Even after Ledger addresses the issue, dapp projects using the compromised library must update their systems for safe usage.

Previous Security Concerns

Ledger has faced criticism regarding its security practices in recent times. The voluntary ID-based Recover service, unrelated to the current attack, received backlash from users who considered it a potential “backdoor.” The company’s co-founder acknowledged the service’s poor rollout but defended its technical integrity. Additionally, Ledger previously experienced incidents involving a fraudulent app on the Microsoft App Store and a customer email database breach.

More Info: How to Protect Your Seed Phrase


The compromise of Ledger’s Connect Kit serves as a reminder of the importance of maintaining strong security practices in the cryptocurrency space. Users should exercise caution when interacting with dapps until Ledger resolves the issue and dapp teams implement necessary updates.

P.S. Breaking Down the Ledger Saga: Dive into the Exploit Chronicles

Yet, in this cyber-age drama, Ledger’s technology and security teams emerge as the unsung heroes, responding to the breach within a remarkable 40 minutes. The malevolent file may have lingered for five hours, but the window of vulnerability, where funds faced potential drainage, appears to have been mercifully brief – less than two hours.

Collaboration becomes a central theme in this narrative as Ledger coordinates with WalletConnect, swiftly disabling the rogue project. The genuine Ledger Connect Kit version 1.1.8 is subsequently deployed, standing as a testament to the resilience of security measures.

Behind the code curtain, developers find themselves in read-only mode for safety reasons, while secrets are rotated on Ledger’s GitHub, fortifying the defenses against potential future incursions. A call is issued to developers to ensure they are utilizing the latest version, 1.1.8.

As the pursuit of justice unfolds, a complaint is filed, and law enforcement joins the investigation to apprehend the malevolent actor. Simultaneously, Ledger, along with partners such as WalletConnect, reports the bad actor’s wallet address, with Tether freezing the associated USDT.

Here is what the company say

More Info:

Ledger’s track record of security concerns warrants scrutiny, highlighting the need for users to stay informed and take proactive measures to protect their crypto assets.

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice of this sort, HODL FM strongly recommends contacting a qualified industry professional.