Hardware wallet manufacturer Ledger will disable blind signing for EVM decentralized applications (dapps) by June 2024, following an exploit in which a wallet drainer was added to a library used by many dapps to connect to its devices.

In a tweet, Ledger said that around $600,000 in crypto assets were stolen during the exploit. It announced that affected victims would be โ€œmade wholeโ€ and that it would โ€œno longer allow Blind Signing with Ledger devices by June 2024.

Blind signing involves the display of raw smart contract signing data that can be parsed by computers but is incomprehensible to a human reader. Ledger has previously advocated for a โ€œwhat you see is what you signโ€ approach known as clear signing, in which smart contract signing is parsed in a human-readable manner.

In its announcement, Ledger stated that its move to sunset blind signing would โ€œlead to a new standard to protect users and encourage Clear Signing across DApps,โ€ and encouraged dapp developers to support clear signing.

In last weekโ€™s exploit, a malicious version of the Ledger Connect Kit, a library that enables Ledger devices to connect with dapps, was identified by developers on Twitter. Web3 security firm BlockAid reported that, โ€œThe attacker injected a wallet draining payloadโ€ into the ledgerconnect kitโ€™s NPM package,โ€ enabling them to drain the funds of users who signed on dapps including Sushi.com and Hey.xyz.

Software wallet developer MetaMask warned users to โ€œstop using dappsโ€ after news of the attack broke.

In a follow-up post, Ledger confirmed that the attack took place as a result of a former employee falling victim to a phishing attack. The attacker was able to gain access to the former employeeโ€™s NPMJS account, a JavaScript package manager, enabling them to push a malicious version of the Ledger Connect Kit. The malicious Connect Kit then rerouted user funds from any wallet connecting to a dapp using it, to the hackerโ€™s own wallet.

Ledger stated that a fix was deployed within 40 minutes of the firmโ€™s security teams being alerted, and has pushed a new version of the Connect Kit (1.1.8). Ledger devices themselves, and the firmโ€™s Ledger Live app, were not compromised by the exploit, it added.

The firm has previously faced criticism over its security. In 2020 a Ledger customer email database was hacked, with over a million user emails compromised, while earlier this year Ledgerโ€™s voluntary ID-based Recover service was dubbed a โ€œbackdoorโ€ by users. Ledgerโ€™s co-founder ร‰ric Larchevรชque described the rollout of the Recover service as, โ€œa total PR failure, but absolutely not a technical one.โ€

Stay on top of crypto news, get daily updates in your inbox.





Source link