Ledger library flaw affects SushiSwap, Revoke.cash dapps

SushiSwap Chief Technical Officer Mathew Lilley has disclosed the compromise of a widely employed web3 connector within Ledger’s delivery network

The breach has enabled malicious code injection into numerous decentralized applications (dapps)

Removal of malicious provider

Lilley contended that Ledger’s content delivery network was compromised, leading to the loading of Java from the compromised network.

The compromised Ledger connector library, widely employed by ious dapps and overseen by Ledger, has seen the addition of a wallet drainer. While assets may not be drained automatically from a user’s account, s from browser wallets like MetaMask could potentially provide malicious actors access to the assets, according to Lilley’s claims.

The renowned cryptocurrency hardware wallet provider has since taken to X to announce the identification and removal of a malicious version of the Ledger Connect Kit. The company urges users to exercise caution and temporarily abstain from engaging with dapps.

Assuring the community of their proactive stance, Ledger has already initiated the deployment of a genuine replacement for the compromised file. Ledger also emphasizes that the security of user Ledger devices and Ledger Live remains intact, with no compromise detected.

An ongoing target

This is not the first time Ledger has been a target of malicious acts. On Nov. 5, crypto investigator ZachXBT raised an on the X platform regarding a fraudulent application named Ledger Live Web3

This deceptive application mimicked the legitimate Ledger Live app, an official user interface for storing crypto assets offline using hardware wallets, effectively causing users to lose $800,000.