Cryptocurrency wallet manufacturer Ledger has announced a crucial security update following a breach that led to the theft of approximately $600,000 in crypto assets. The breach, which occurred due to a phishing attack on a former Ledger employee, exposed vulnerabilities related to blind signing within decentralized applications (Dapps). In response to the breach, Ledger has pledged to “no longer allow Blind Signing with Ledger devices by June 2024”, the company said in a statement.
Blind signing, a process involving the display of raw smart contract signing data, has long been a subject of debate within the crypto community due to its susceptibility to exploitation.
Ledger has been a vocal advocate for a more secure “what you see is what you sign” approach known as clear signing. This approach presents smart contract signing data in a human-readable format, making it less prone to malicious activities.
The company’s decision to sunset blind signing is seen as a proactive move toward establishing a new security standard across Dapps. Ledger has called upon Dapp developers to support and implement clear signing practices to bolster user protection and confidence.
The breach, which involved a malicious version of the Ledger Connect Kit—a library facilitating Ledger device connectivity with Dapps—resulted in significant losses for users. The attacker injected a wallet-draining payload into the kit’s NPM package, diverting funds from users who interacted with Dapps utilizing the compromised kit, including platforms like Sushi.com and Hey.xyz.
Following the incident, software wallet developer MetaMask issued a stark warning to users, advising them to refrain from using Dapps until security concerns were adequately addressed.
Ledger acted swiftly, deploying a fix within 40 minutes of detecting the breach. A new version of the Connect Kit (1.1.8) has been released to mitigate further risks. Importantly, Ledger devices and the Ledger Live app remained uncompromised throughout the incident.
The breach has shed light on the importance of robust security measures within the cryptocurrency industry. Ledger has acknowledged that the attack’s origins were rooted in the former employee’s susceptibility to a phishing attack, prompting the need for heightened vigilance and stringent security protocols.
This incident serves as a stark reminder of the ongoing challenges and threats faced by cryptocurrency companies, even as the industry continues to evolve. Ledger is determined to learn from this episode and reinforce its commitment to user safety, acknowledging that clear signing and enhanced security practices are essential in safeguarding digital assets.
While Ledger’s past security issues have raised concerns, the company is determined to regain user trust and strengthen its position as a leader in the cryptocurrency wallet industry.