According to the team behind blockchain security platform Cyverse, ‘Ledger hackers’ embezzled at least $484,000 from multiple Web3 apps on December 14 and did so by tricking Web3 users into granting malicious token approvals.
According to public statements made by several parties involved, the hack happened on the morning of 14 December, The attacker used a phishing exploit A former Ledger employee’s computer was compromised.Gaining access to the employee’s Node Package Manager JavaScript (npmjs) account.
We have identified and removed a malicious version of the Ledger Connect Kit.
Now a genuine version is being pushed to replace the malicious file. Do not interact with any DApps at this time. We will keep you informed as the situation evolves.
Your laser device and…
– Laser (@laser) 14 December 2023
Once they gained access, they uploaded a malicious update to Ledger Connect’s GitHub repo. Ledger Connect is a commonly used package for Web3 applications.
Some Web3 apps were upgraded to the new version, causing their apps to deliver malicious code to users’ browsers. Web3 apps Zapper, SushiSwap, Phantom, Balancer, and Revoke.Cache were infected with the code.
As a result, the attacker was able to extort at least $484,000 from users of these apps. Other apps may also be affected, and Experts have warned This vulnerability could affect the entire Ethereum Virtual Machine (EVM) ecosystem.
how could this happen
Speaking to Cointelegraph, Cyverse CEO Dedi Lavid, Chief Technology Officer Meir Dolev, and blockchain analyst Hakal Unal shed light on how the attack could have occurred.
According to them, the attacker probably used malicious code to display misleading transaction data in the user’s wallet, causing the user to approve transactions they did not intend to.
Dolev said that when developers create Web3 apps, they use the open-source “Connect Kit” to allow their apps to connect to users’ wallets. These kits are stock pieces of code that can be installed into multiple apps, allowing them to handle the connection process without wasting time writing code. Laser’s Connect Kit is one of the options available to handle this task.
It appears as if today’s security incident was the culmination of three separate failures at Ledger:
1. Loading code blindly without pinning it to a specific version and checksum.
2. Not enforcing the “2 person rule” regarding code review and deployment.
3. Not revoking the former employee’s access.– Jameson Lopp (@lopp) 14 December 2023
When a developer first writes their app, they typically install a connect kit through the Node Package Manager (NPM). After creating a build and uploading it to their site, their app will include the Connect Kit as part of its code, which will be downloaded to the user’s browser when they visit the site.
According to the team at Syverse, malicious code inserted into the Ledger Connect kit potentially allows an attacker to alter the transactions being sent to a user’s wallet. For example, as part of the process of using an app, the user is often required to issue approval for token contracts, allowing the app to spend tokens from the user’s wallet.
Malicious code may cause a token approval confirmation request to be displayed to a user’s wallet but with the attacker’s address listed instead of the app’s address. Or, it could cause a wallet confirmation to appear that contains a difficult-to-decipher code, causing users to get confused and press “Confirm” without understanding what they are agreeing to.
Blockchain data shows that the victims of the attack made very large token approvals for the malicious contracts. For example, the attacker withdrew more than $10,000 from the Ethereum address 0xAE49C1ad3cf1654C1B22a6Ee38dD5Bc4ae08fEF7 in one transaction. The log of this transaction shows that the user allowed A very large amount of USDC will be spent by the malicious contract.
The Cyverse team said that this approval was probably done by mistake by the user due to malicious code. He warned that it is extremely difficult to avoid such an attack, as wallets do not always provide users with clear information about what they are agreeing to. One security practice that can help is to carefully evaluate each transaction confirmation message that comes up when using an app. However, this will not help if the transaction is displayed in code that is not easily readable or is confusing.
Connected: MetaMask snaps ConsenSys executive on security: ‘Consent is king’
Sievers claimed that their platform allows businesses to investigate contract addresses and determine if these addresses have been involved in security incidents. For example, the account that created the smart contracts used in this attack was found by Syvers to be involved in 180 security incidents.
While future Web3 tools may allow such attacks to be detected and thwarted earlier, the industry still has a “long way to go” to solve this problem, the team told Cointelegraph.