Crypto hardware wallet provider Ledger will enact changes to transaction signing processes after a Dec. 14 exploit in the Ledger Connect Kit software library.
“We are aware of approximately $600,000 in assets impacted, stolen from users blind signing on EVM DApps,” Ledger wrote in a Wednesday X post. It’s “committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024.”
Both Ledger and non-Ledger customers who lost funds from the exploit will be “made whole” by the end of February 2024, the firm said, adding that those who signed a transaction on affected DApps should revoke unauthorized transactions to prevent the malicious code from affecting them further.
“Our commitment is to work with the community and DApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across DApps,” Ledger wrote.
Blind signing refers to a process when a user is presented with raw data, interpretable by computers but unreadable to humans, to approve on-chain transactions with their private key. Clear signing summarizes a transaction for a user to review and understand before executing it, Ledger explained in a June 2022 article.
Ledger ConnectKit security issue
Last week, a critical vulnerability affecting several decentralized applications impacted a software library that Ledger relied on, The Block previously reported. Potentially due to a compromise in the software library’s specific content delivery network, malicious code had been injected into the front-ends of the apps that allowed the exploiter to steal assets.
Ledger removed the malicious code after identifying it, but third-party organizations estimated that around $500,000 in funds had been affected around the time.
The malicious code, known as Angel Drainer malware, rerouted user assets to the hacker’s wallets. The attack started with a “sophisticated phishing attack” on a former Ledger employee whose access had not been revoked manually in time, the firm said in a detailed account of the exploit.
“This was an unfortunate isolated incident,” Ledger said. “The phishing technique implemented did not focus on credentials, which is what we see in most Front-End attacks affecting the ecosystem, but instead the attacker worked directly on the session token.”
(Updates with an explanation of blind and clear signing.)
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.