Security issue in Ledger ConnectKit library affects multiple decentralized applications

A critical web3 security vulnerability emerged today, reportedly affecting several decentralized applications. The issue is related to a software library from the crypto hardware wallet provider Ledger, the “LedgerHQ” library, that dapps rely on for use with the crypto wallet service. This vulnerability could potentially allow malicious code to be injected into numerous dapps on their front-ends — posing a significant risk to users and their assets.

Consequently, front ends to dapps such as SushiSwap, Kyber, RevokeCash and Zapper could be vulnerable if used. Both Kyber and RevokeCash confirmed on X that they disabled their front-ends. 

According to reports, the library code was replaced with malicious software created by hackers and designed to drain assets. 

Security firm Blockaid described it as a "supply chain attack" on Ledger Connect Kit and claimed that $150,000 had been lost in the past couple of hours. 

The issue likely emerged due to a specific Content Delivery Network used to host the software library being affected, according to Sushi’s chief technology officer Mathew Lilly. “LedgerHQ/connect-kit loads JavaScript from a CDN. Their CDN account has been compromised, which is injecting malicious JavaScript into multiple dApps,” Lilly said.

A potentially software patch was finalized in an update and may need to be adopted by dapps before conditions are safe.

Meanwhile, Lilly and others have warned users to avoid interacting with any dapps until further notice.

Ledger did not immediately respond to a request for comment.