The โLedger hackerโ who siphoned away at least $484,000 from multiple Web3 apps on Dec. 14 did so by tricking Web3 users into making malicious token approvals, according to the team behind blockchain security platform Cyvers.
According to public statements made by multiple parties involved, the hack occurred on the morning of Dec. 14. The attacker used a phishing exploit to compromise the computer of a former Ledger employee, gaining access to the employeeโs node package manager javascript (NPMJS) account.
We have identified and removed a malicious version of the Ledger Connect Kit.
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device andโฆ
โ Ledger (@Ledger) December 14, 2023
Once they gained access, they uploaded a malicious update to Ledger Connectโs GitHub repo. Ledger Connect is a commonly used package for Web3 applications.
Some Web3 apps upgraded to the new version, causing their apps to distribute the malicious code to usersโ browsers. Web3 apps Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash were infected with the code.
As a result, the attacker was able to siphon away at least $484,000 from users of these apps. Other apps may be affected as well, and experts have warned that the vulnerability may affect the entire Ethereum Virtual Machine (EVM) ecosystem.
How it could have happened
Speaking to Cointelegraph, Cyvers CEO Deddy Lavid, chief technology officer Meir Dolev, and blockchain analyst Hakal Unal shed further light on how the attack may have occurred.
According to them, the attacker likely used malicious code to display confusing transaction data in the userโs wallet, leading the user to approve transactions they didnโt intend to.
When developers create Web3 apps, they use open-source โconnect kits” to allow their apps to connect with usersโ wallets, Dolev stated. These kits are stock pieces of code that can be installed in multiple apps, allowing them to handle the connection process without needing to spend time writing code. Ledgerโs connect kit is one of the options available to handle this task.
It sounds like today’s security incident was the culmination of 3 separate failures at Ledger:
1. Blindly loading code without pinning a specific version and checksum.
2. Not enforcing “2 man rules” around code review and deployment.
3. Not revoking former employee access.โ Jameson Lopp (@lopp) December 14, 2023
When a developer first writes their app, they usually install a connect kit through Node Package Manager (NPM). After creating a build and uploading it to their site, their app will contain the connect kit as part of its code, which will then be downloaded into the userโs browser whenever the user visits the site.
According to the Cyversโ team, the malicious code inserted into the Ledger Connect Kit likely allowed the attacker to alter the transactions being pushed to the userโs wallet. For example, as part of the process of using an app, a user often needs to issue approvals to token contracts, allowing the app to spend tokens out of the userโs wallet.
The malicious code may have caused the userโs wallet to display a token approval confirmation request but with the attackerโs address listed instead of the appโs address. Or, it may have caused a wallet confirmation to appear that would consist of difficult-to-interpret code, causing the user to confusedly push โconfirmโ without understanding what they were agreeing to.
Blockchain data shows that the victims of the attack made very large token approvals to the malicious contract. For example, the attacker drained over $10,000 from the Ethereum address 0xAE49C1ad3cf1654C1B22a6Ee38dD5Bc4ae08fEF7 in one transaction. The log of this transaction shows that the user approved a very large amount of USDC to be spent by the malicious contract.
This approval was likely performed by the user in error because of the malicious code, said the Cyvers team. They warned that avoiding this kind of attack is extremely difficult, as wallets do not always give users clear information about what they are agreeing to. One security practice that may help is to carefully evaluate each transaction confirmation message that pops up while using an app. However, this may not help if the transaction is displayed in code that is not easily readable or is confusing.
Related: ConsenSys exec on MetaMask Snaps security: โConsent is kingโ
Cyvers claimed that their platform allows businesses to check contract addresses and determine if these addresses have been involved in security incidents. For example, the account that created the smart contracts used in this attack was detected by Cyvers as having been involved in 180 security incidents.
While Web3 tools in the future could allow attacks like these to be detected and thwarted in advance, the industry still has โa long way to goโ in solving this problem, the team told Cointelegraph.
