After learning that Ledger's Connect Kit library, widely used for developing decentralized applications (dApps), fell victim to a cybersecurity attack, members of the cryptocurrency community commented on the impact of the case.
The statements include the one published on the Agenda IA blog, in which is warned that the risk situation that occurred on December 14th serves as a clear reminder of the importance of cybersecurityespecially in the area of decentralized applications.
In this context, the Nunchuk wallet team draws attention to the fact that many projects to support the so-called Fucking coins They are exposed to massive attacks. They also believe that the reliance on the Javascript programming language creates a “security hell, even for Bitcoin-related projects.”
It is also said that the ledger is being exploited highlights the fragility of decentralized applications. This is because the protocols use code from various software providers, including Ledger. “In this process, there are numerous sources of error along the entire supply chain, which ultimately affect the users,” emphasizes Agenda IA.
Additionally, the user identified in X as @knowcryptoshow, considered the ledger too is facing a serious internal problem with its standard operating procedures. This is taking into account the fact that the malicious code that affected the library was introduced through a hacker attack on an employee of the company.
“The company's current structure, which allows a single employee to independently approve code changes, is not only risky; “This is negligent,” he added. @knowcryptoshow on the social network. “This lack of proper oversight and control in the code approval process resulted in a significant security breach,” he added.
It therefore recommends implementing a system in which multiple permits required for all code changes. A protocol that significantly reduces the risk of introducing unauthorized or malicious code, as was the case in this case.
In this regard, Agenda IA recalls that although the risk situation appears to have been resolved following the company's announcement of the library replacement, all projects linked to Ledger “must update and implement the corrected version of the library to ensure security” . their DApps.
Explain that this process may take some time. Therefore it is recommended Refrain from interacting with anyone front end, the part of an application that, for now, interacts directly with users in dApps and DeFi protocols.
“This precautionary measure is essential as the current situation remains unpredictable,” notes Agenda IA . It is then necessary to check whether the applications used are being used have completed this update before resuming your usual activities.
In this regard, Ido Ben-Natan, co-founder and CEO of Blockaid, explained that Ledger users do not take any risk if they do not transact. He assured that the amount of stolen funds was high Hundreds of thousands of dollars in about four hours. Many websites and users are still affected.
The warning applies for anyone who interacts with a decentralized application that you use the Ledger library to develop your Front ends.
It is worth remembering that Ledger HQ/connect-kit is a library used by numerous users Front end of decentralized applications, among which Zapper, SushiSwap, Phantom, Balancer and Revoke.cash stand out.