The decentralized finance (DeFi) world is currently on high alert following warnings from Sushi’s Chief Technology Officer, Matthew Lilley, about a widespread exploit involving Ledger’s Connect Kit.
This critical issue has affected multiple DeFi protocols, including SushiSwap, leading to a front-end exploit.
Urgent warning to users
Lilley advised users via X to avoid interacting with any decentralized applications (dApps) until further notice.
https://twitter.com/MatthewLilley/status/1735275960662921638?s=20
He revealed that a web3 connector commonly used by these applications has been compromised, allowing the injection of malicious code. This breach has the potential to impact numerous dApps across the DeFi landscape.
Nature of the exploit
A front-end exploit typically involves hackers modifying the user interface (UI) of a website or application, enabling them to divert funds to their accounts.
Importantly, such exploits do not grant access to the protocol’s hot wallets but manipulate the UI to mislead users.
The suspicious code originated from hardware wallet provider Ledger’s GitHub page. Reports indicate that Ledger’s library was compromised and replaced with a token drainer.
This exploit prompts unsuspecting users to connect their wallets via a pop-up, activating the drainer. Several DeFi websites, including Zapper and RevokeCash, reported similar issues.
Ledger has confirmed the compromise of its ConnectKit library and is actively working on pushing a genuine version to replace the malicious file. Users are urged to refrain from interacting with any dApps in the meantime.
https://twitter.com/Ledger/status/1735291427100455293?s=20
Banteg, a lead developer of Yearn.finance, confirmed the compromise, stating that the attackers infiltrated numerous libraries by targeting just the connect-kit. He emphasized caution and advised waiting until the situation becomes clearer.
Both SushiSwap and Revoke Cash acknowledged the impact of the incident on their platforms. They have advised users to refrain from engaging with their frontends until a resolution is reached.
Hudson James, a VP at Polygon Labs, echoed the warnings and advised against interacting with any dApp frontends on websites. He highlighted the ongoing risks associated with using dApps without understanding the backend libraries they utilize.