Ledger, a hardware wallet manufacturer, has announced intentions to deactivate blind signing for Ethereum Virtual Machine (EVM) decentralized apps (DApps) by June 2024 in response to an issue where a wallet drainer was added to a library used by multiple DApps to connect to Ledger devices.
Enhancing User Security: Ledger’s Plan For Blind Signing
Ledger disclosed in a tweet that the most recent exploit resulted in the theft of almost $600,000 worth of cryptocurrency assets. The company declared its intention to reimburse impacted victims following the security breach.
It stated that it would phase out the use of Ledger devices for blind signing by June 2024.
When smart contracts are signed blindly, the raw data is displayed for computers to read but not for people. The company’s move to phase out blind signing is a step toward creating a new standard that will improve user security and encourage clear signing in all decentralized applications.
Ledger stressed its commitment to averting similar occurrences in the future and assuring the security of the ecosystem while pleading with DApp developers to promote transparent signing.
Ledger claims that users blind signed on to Ethereum Virtual Machine DApps, which is how the stolen assets were obtained.
Phishing Scam Fallout: Ledger’s Statement on the Exploit’s Origins
Developers on X ( Twitter ) discovered a malicious version of the Ledger Connect Kit, a library that makes it easier for Ledger devices and DApps to connect, during the most recent exploit that occurred last week.
The attacker reportedly injected a wallet-draining payload into the NPM package of the Ledger Connect Kit, enabling them to siphon money from users who signed up for DApps like Sushi.com and Hey.xyz, according to Web3 security company BlockAid.
After learning of the attack, users were advised to “stop using DApps” by software wallet developer MetaMask. Ledger later acknowledged in a statement that the attack happened as a result of a former employee falling for a phishing scam.
By gaining access to the ex-employee’s NPMJS account, the attacker was able to distribute a malicious Ledger Connect Kit version. Through the use of this compromised Connect Kit, user funds from any wallet that connected to a DApp were redirected to the hacker’s wallet.
Ledger’s security teams alerted it, and within 40 minutes, the company had deployed a fix. In the meantime, a new version of the Connect Kit (1.1.8) has been updated. Ledger devices and the Ledger Live app remained unaffected by the exploit.
A Look at Ledger’s Past Security Criticisms
It’s important to bear in mind that Ledger has been criticized for security. Over a million user emails were exposed in 2020 due to a hack into a Ledger customer email database. Users also criticized Ledger’s optional ID-based Recover service earlier this year, accusing it of being a “backdoor.”
Takeaways
By June 2024, Ledger intends to remove blind signing for Ethereum Virtual Machine DApps due to a security breach. The continuous difficulties in safeguarding blockchain ecosystems and user security are brought to light by Ledger’s efforts to improve security and reimburse impacted users. This emphasizes the necessity for companies and developers to work together to strengthen the decentralized environment.
