Ledger Exploit Drained $484K, Upended DeFi; Former Staffer Linked to Malicious Code

Security firm Blockaid's CEO told CoinDesk that users are still at risk.

AccessTimeIconDec 14, 2023 at 4:14 p.m. UTC
Updated Mar 8, 2024 at 6:41 p.m. UTC

Hackers stole $484,000 on Thursday after inserting malicious code into the Github library for Connect Kit, a widely-used piece of blockchain software maintained by the crypto wallet firm Ledger. Several major decentralized finance (DeFi) protocols that use the library have been impacted, and users have been warned to avoid using decentralized apps (dApps) altogether until these protocols are updated.

Ledger's Connect Kit is a piece of code that allows DeFi protocols to connect to crypto hardware wallets. The exploit potentially impacts the front-end of all protocols that use the Connect Kit, which include the likes of Sushi, Lido, Metamask and Coinbase.

  • Crypto Hacks Totaled $19B Since 2011: Crystal Intelligence
    Crypto Hacks Totaled $19B Since 2011: Crystal Intelligence
  • Over $67M in Crypto Lost to Hacks and Exploits in February: Immunefi Report
    Over $67M in Crypto Lost to Hacks and Exploits in February: Immunefi Report
  • Running With Crypto: 5 Questions With TRM Labs' Ari Redbord
    Running With Crypto: 5 Questions With TRM Labs' Ari Redbord
  • Hacks Involving North Korea Are 'Even Greater Problem': Legal Experts
    Hacks Involving North Korea Are 'Even Greater Problem': Legal Experts
  • In an X post on Thursday addressing the incident, Ledger confirmed that an employee had been targeted in a "phishing attack," after which point the attacker "published a malicious version of the Ledger Connect Kit."

    A ledger spokesperson told CoinDesk that it has "identified and removed a malicious version of the Ledger Connect Kit," and the company said in its X post that "the window where funds were drained was limited to a period of less than two hours."

    Although Ledger has updated its own code, Ido Ben-Natan, the CEO of blockchain security firm Blockaid told CoinDesk in a Telegram message that "many websites are still affected and users are getting hit." For the risk to be completely mitigated, every protocol using Ledger's Connect Kit has to manually update their version of the library. In the meantime, several protocols remain at risk, specifically revoke.cash, which is a service that is used to remove permissions from DeFi protocols.

    "Revoke.cash specifically is affected so don’t interact with it," Ben-Natan added. "the number of impacted funds is hundreds of thousands of dollars over the past two hours."

    DeFi-related hacks have been frequent throughout this year, and $303 million was stolen in July alone following exploits to Curve Finance and Multichain. After hacks take place, users typically use websites like revoke.cash to remove permissions from impacted protocols.

    In this case, however, as the front-end of websites has been impacted as opposed to hot wallets, revoke.cash users will be prompted to connect their wallets to a malicious token drainer, thus broadening the scope of the hack to anything in a user's wallet.

    MetaMask announced that it had deployed a fix to remove the malicious code two hours after the hack occurred.

    The nature of the exploit emphasizes the fragile nature of decentralized applications; as protocols use code from several software providers like Ledger, there are numerous points of failure along the supply chain that can ultimately impact users.

    Ledger has previously fallen victim to security issues. In 2020 its entire customer database was leaked, leading to fears of sim swapping and home invasion attacks. It also faced controversy this past year after a software update revealed discrepancies between the security of its hardware versus how it was marketed to users.

    Edited by Sam Kessler.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Oliver Knight

    Oliver Knight is a CoinDesk reporter based between London and Lisbon. He does not own any crypto.

    Read more about