Home > News > SushiSwap And Other dApps Exploited Through Ledger Connect Vulnerability

SushiSwap And Other dApps Exploited Through Ledger Connect Vulnerability

Published: Dec 14, 2023
Written By:
Vignesh Karunanidhi
Milk Road Writer
$69.3 Million in Wrapped Bitcoin (WBTC) Lost to Address Poisoning Scam

Several major dApps, including SushiSwap, have been affected by a malicious attack targeting Ledger’s API kit, according to industry sources. The exploiting of vulnerabilities in Ledger’s code has enabled attackers to inject harmful JavaScript into widely-used DeFi interfaces.

  • The attack appears to originate from the compromised ledger API, allowing code injection.
  • SushiSwap, Zapper, and RevokeCash among DeFi sites impacted
  • The full scale and impact are still unclear.

SushiSwap CTO Matthew Lilley posted multiple tweets recently urging users not to interact with any DeFi applications after detecting issues likely arising from compromised infrastructure provided by hardware wallet maker Ledger.

SushiSwap CTO cites Ledger’s blunder as the reason for the exploit

Lilley explained that a failure by Ledger to version-lock JavaScript loaded from a content delivery network (CDN) led to attackers compromising the CDN and injecting dangerous code.

Beyond Sushi, Zapper, and RevokeCash acknowledged similar issues stemming from the Ledger vulnerability. The full extent of impacted applications is still unknown as assessments are ongoing.

In his warning tweets, Lilley stressed that this was not an isolated incident but rather a sweeping “large-scale attack on multiple dApps.”

Read more: Bitcoin Will Surge Above $80,000 In 2024, Bitwise Predicts

Sushi CTO highlighted that any dApp that makes use of the LedgerHQ/Connect kit is vulnerable to the exploit. He also warned users not to use any dApps until further notice.

SushiSwap was quick enough to address the incident and tweeted that it had identified the Ledger connector as critically compromised, potentially allowing inject attacks.

Additionally, Sushi warned users who encounter unexpected pop-up wallet connection requests not to approve them or connect wallets, saying they are working to remove the problematic Ledger integration.

Ledger pushed out a tweet after the incident, stating that they have now removed the malicious version of the Ledger Connect Kit. Additionally, the tweet also mentioned that a genuine version is being pushed to replace the malicious file.

Vignesh Karunanidhi

Vignesh has been a seasoned professional in the crypto space since 2017. He has been writing for over 6 years and specializes in writing and editing various types of crypto content, including news articles, long-form pieces, and blog posts, all focused on sharing the beauty of blockchain and crypto.

Vignesh Karunanidhi
Milk Road Writer
Vignesh has been a seasoned professional in the crypto space since 2017. He has been writing for over 6 years and specializes in writing and editing various types of crypto content, including news articles, long-form pieces, and blog posts, all focused on sharing the beauty of blockchain and crypto.
Read More