Severe Impact Expected on EVM Ecosystem due to Attack on Ledger, MetaMask Among Affected
Summary:
The Ethereum Virtual Machine (EVM) ecosystem could be severely impacted due to an attack on Ledger's connector library, warns Consensys' Linea team. The breach also affected MetaMask, a wallet provider, along with several other protocols. MetaMask has since issued an update to combat the issue. The attack began after an ex-Ledger employee's NPMJS account was compromised. Ledger released a fix shortly after the problem's detection and recommends abstaining from the use of its Ledger Connect Kit for 24 hours. The hacker has supposedly stolen nearly $484,000 in assets.
The Linea team from Consensys, which operates a zero-knowledge rollup, has warned of a potential significant hit to the entire Ethereum Virtual Machine (EVM) landscape due to an attack on Ledger's connector library. This library, which the hacker targeted, essentially forms a bridge allowing Ledger hardware wallets to interact with numerous decentralized apps (DApps). The security breach also affected MetaMask, the wallet provider. Linea advises all web3 users to abstain from interacting with any dapps until the issue is fully resolved for safety reasons.
MetaMask has issued a notice via X, previously known as Twitter, stating that they have rolled out an update to rectify the problem. They assured users that those on the latest version v2.121.0 will be updated automatically and can resume performing transactions. For users on older versions, a refresh of their site data is recommended. The list of other impacted protocols incorporates Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash.
Blockchain security firm Certik conveyed to Cointelegraph that the drainer code will be executed by any DApp that imports the ledger CDN, requesting victims to connect through any wallet they support. The Ledger connector library represents a key element that ensures a functional link between the Ledger hardware and various DApps, thus a compromise could implicate a substantial number of EVM users and transactions.
The attack ensued post the phishing of an ex-Ledger employee, resulting in the compromise of their NPMJS account. "The assailant went on to propagate a harmful version of the Ledger Connect Kit, employing a fraudulent WalletConnect project to misdirect funds to a hacker wallet," relayed the firm on X. Ledger launched a fix about 40 minutes post the discovery of the issue, with advice for users to abstain from using its Ledger Connect Kit for 24 hours.
According to Lookonchain, a blockchain analytics platform, the attacker has absconded with nearly $484,000 worth of assets. Ledger mentions that the magnitude of the security violation could be more extensive. Two years post John McAfee's passing, the magazine reports his widow Janice, is now without financial resources and seeks answers.
Published At
12/14/2023 7:48:33 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.