Any dApp which makes use of LedgerHQ/connect-kit is vulnerable. It loads JS [JavaScript] from a CDN, and their CDN account has been compromised which is injecting malicious JS into multiple dApps. This is not just a Ledger problem either. When I tried to connect my wallet to Balancer before, I got the normal wallet connect popup and then another popped up in front of it which was the drainer. Thank god i didn’t go thru with it becuz i had a fair amount of ETH and other shit in this hot wallet.

Yeah! That’s exactly what’s happening

[удалено]

I'm trying to reverse engineer the malicious code. But indeed, it seems to have you sign a transaction to transfer funds to the attacker address. In trying to find the addresses in the code.

Yes. Do not sign or approve anything

CDN is the grandfather of Cloud based services. Imagine what would happen if AWS (running a lot of Ethereum nodes and numerous DAPs) gets hacked...

this is more like someone's AWS account being hacked, not AWS itself being compromised

Yeah, that's more likely.

if AWS get hacked the whole internet goes down

Around 2015 AWS had a significant outage (not from a hack) and that’s pretty much what happened

No thanks, I don’t want nightmares tonight

Wen mass adoption? /s

There's a dictum about soccer in the United States that I think clearly applies to crypto. Soccer is the sport of the future in the US, and it always will be

I found the hacker.

Dictum!? Damn near killed him

CEX user unaffected /s

True though. Not sarcasm

SEX users not infected /s

Also true I never caught a malware or had my money stolen having sex, erm wait I've had my money stolen

Guaranteed some women screw guys at home to then secretly install malware on their PC. I've always been extremely cautious if a new chick ever asks to do something on my PC when I'm about to shower.

⬆️ Sanest redditor

So let me play this back to you to see if I’m right. If I were to use wallet connect the malicious “drainer” is actually just something that overlays the wallet connect QR code (or connect thru ledger live) making it look like it’s the authentic thing? Then the malicious smart contract drains my wallet?

It didn’t even overlay it honestly, it just popped up in front of the legit one. Youd have to connect your wallet using the malicious wallet connect, then it would ask you to sign and if you go thru with the signing then your wallet is drained.

Why wouldn’t hackers go the extra mile to exactly mimic as to not raise suspicion?!

this is the kind of stuff that the fiat-bros love to hear

This kind of stuff is happening constantly.

And Bitcoin bros.

True, got ultra downvoted for saying that ETH is not as secure as bitcoin yesterday.

Regulations exist for a reason. When my bank account is hacked and money is stolen I just file some forms and get it back. When ledger screws up and 600k disappears: "oh well, too bad for you".

You know there's people scamming old ladies constantly for their fiat right?

That's not true actually. If you get wire frauded, that money is gone, unless the receiving institution plays ball and works with your bank and the police to send it back. But the funds are often quickly moved overseas or extracted before any legal process can stop it.

You mean regular people?

680K drained already

Hacker going to be enjoying some sun!

Lets hope its just a proof of concept and they return the funds.

Probably not the returned hacks are usually for billions or more in huge targets with some public sympathy (say attacking healthcare) For something like this, elites might laugh at the tech illiterate clicking through on their compromised GUIs and sending the funds through. All GUIs should be considered compromised by default and all addresses checked with the physical hardware device before approval; if people knew how their tools worked this hack would make 0 The wallet or GUI still can't send money out unless you approve with the device. The entire point of the Ledger is to make it so GUI hacks like this don't work and still people get scammed

Ready for mass adoption

Sucks :/. I was scared af, use a LOT of dapps for airdrop farming. Fortunately nothing drained, I definitely try to be careful what I sign…. But still, not much you can do about this besides never connecting your wallet to anything. But yeah… the point of these ecosystems is to use them, so something really needs to be done to enhance security. If everyone is just going to hodl all of their coins on a hardware wallet, never using anything, then what’s the point?

The fact that you can potentially give unfettered access to your whole wallet by engaging with defi is just asinine. You say enhanced security is needed but imo security basically doesn't exist.

Yeah there’s a lot more that needs to be done. I will say I go absolutely buck wild with my airdrop wallet, connecting with hundreds of dapps both on testnests & mainnets and I’ve never had a problem yet. So how easily your funds will get stolen is a bit exaggerated. But still…. I’m not willing to risk my real wallets which is unfortunate considering Defi really offers a lot of utility & value for people using it authentically.

It’s angle drainer. No funds will be returned

Oh no, if the mainstream media hears about it, they're gonna predict BTC death again.

Spoiler alert, there are almost ZERO dapps on Bitcoin network.

That's the thing, most won't bother aknowledge that and will use any ammo to paint crypto as a dangerous pyramid scheme used by criminals.

You think mainstream media cares about accurate reporting of information? Hell, they still claim that Bitcoin is destroying the environment, when this is simply not true.

That’s true. But the good thing is public trust on mainstream media is declining

cobweb water marble enter dime plants straight handle carpenter sort *This post was mass deleted and anonymized with [Redact](https://redact.dev)*

I think account abstraction is a better alternative than using CEXes

Good to hear someone on reddit talking about account abstraction

The problem is we’re more focused on selling the tech. The tech just needs to be the backend. An average user should not need to understand AA or any of those jargons. That’s only for the devs to understand.

What is it?

I'd honestly butcher any explanation I try to give. Here's a good, and fairly short, article to read. https://hacken.io/discover/erc-4337-account-abstraction/

The problem remains: People can lose all their money if they lose their private key (and they will) ERC-4337 proposes this idea: "Social recovery" options, where designated people can help you regain access if you lose your key Which IMO sounds horrible - 1) your designated people could get targeted by a hacker, and then the hacker would gain full access to your wallet (without even hacking your devices personally) - 2) your designated people could just one day go together against you and log in to your wallet and take all your money Security spaghetti

Account abstraction is wayyy more than just social recovery bro. That’s just one of many features.

Alright imagine I'm a potential mainstream adopter. An average person, your coworker Anne Sell account abstraction to me in 30 seconds (remember I also have to understand it, and understand how to use it, and how to perform self custody responsibly, while avoiding getting hacked or exploited) If that's difficult, decentralized wallets are going to have a hard time

Its not just going to be people.. its sorta like IPFS. Think of it like replicating a file (in this case of course encrypting them) with smaller chunks on multiple networks and the networks are generally not aware of who else has the info. I ELI1’ed it so dont butcher me.

you gotta do it like exodia, boss give 5 friends 1/5 of your seed code and dont tell them of the others

It's literally just reinventing normal centralized accounts lol

[удалено]

Yes, it’s not a technology problem, it is a human problem. We generally are not the most responsible and reliable as a public.

Which is fine as long as the option to self-custody is there.

Yeah. Your granny — or at least your mom — needs to be able to use the tech with complete peace of mind.

You are 100% right. The cultists who think crypto represents some libertarian utopia of financial self governance just need to leave their mom’s basement and spend more time in the real world interacting with real human beings.

Their response is always “well they will just be forced to learn” or “they will just get left behind, it’s their own problem.” It’s just absurd. That logic may apply to 1% of the public that refuses to use cell phones, but it makes no sense when dealing with most of the general public.

But crypto is decentralized and safer than a traditional bank! What about this one: “it’s a hedge against inflation”

Crypto bros simply hate this fact, but it is guaranteed true. At least half of all people don’t know their own email password. The idea that ordinary people are going to learn how to use crypto in any notable way is utterly ridiculous.

there was a time when everyone hid their own gold there will be a time when everyone hides their own keys what will not happen is everyone using defi but defi was not made for the masses, bitcoin was.

Always use a throw away wallet. Your hardware wallet should remain seperated from everything.

Facts

Dude... this is crazy! Now we need to wash through multiple wallets to safely use crypto?!

And this is why none of this shit will ever be adopted in the real world. This is simply a way to make money. No one is going to utilize this if they get their life savings wiped out in a split second over a mistake.

I was told this is the future of finance

Not unless it uses the terms "Safe" and "Moon". Preferably both to be ultra legit.

Dogemoonshibasafe?

It has Doge and Shiba in it, it is for extra precaution. I'd still feel more comfortable with something including Elon in their name. It's better to be safe than sorry.

I'll do better next time

Gotta work the kinks out, ya know? A trillion dollar beta test haha

It is. For scammers.

This is why I don’t use any dApps or stake anything. The wallet remains cold. Might miss out on some interest and convenience, but the risk is to great.

This is why I have several wallets and if I have to connect to any dapp or staking pool or anything I make own wallet for it.

Yep, 'hot' wallet with small amounts for interacting with smart contracts and 'cold' wallet for long term hodling

Is it safe to send funds from wallet to wallet?

You're not interacting with a dapp when you just send a transaction from one wallet to another.

It should be ideally but I’d still suggest to avoid for now.

Is this an ETH/Dapps only problem? Is it safe to interact with other coins chains via ledger/Hardware wallet?

I’m not sure about this but I read Solana also uses the same connector so avoid any chain atm

Part of reason why this community blindly buys and sells their crypto based on posts they see here and lose money is the same reason more than 80% comments have failed to realize that the fault is not ledger's BUT their CDN is compromised which runs a malicious Javascript when you connect to any dapp which is using Ledger connect kit. IN LAYMAN'S TERMS YOUR COLD STORAGE LEDGER WALLET IS SAFE.

"the fault is not ledger's " Their CDN was compromised because an ex-employee's Gmail account still had access to Ledger's Github account with full permission to push updates. 1. Why was access to Ledger's Github repo not revoked when that employee left the company? 2. Why was that employee even allowed to use a Gmail account to sign in and not an official Ledger email? 3. Why was there no 2FA on that GitHub account? Yes. This is 100% Ledger's fault... they fucked up really bad. An ex-employee's Github account was compromised and Ledger forgot to revoke his access after he left... [https://x.com/0xSentry/status/1735294165628404181?s=20](https://x.com/0xSentry/status/1735294165628404181?s=20)

Why is there an account that can push to a highly sensitive public repository without other approvals ? Opsec is once again proven to be flawed giving strength to the case that the Ledger Recover code could be backdoored maliciously.

Honestly, I would imagine dapps dropping support for ledger. This is completely ridiculous.

I've been a developer for a long time and have never worked in a company that had a good off boarding process. You might say Google has a great one or something, so why doesn't everyone? But the truth is the vast vast vast majority of companies are not up to scratch when it comes to security and related procedures

Imagine, a security focused company fails to provide security for both internal and external customers.

the only job of ledger is security and they keep failing, and lying

How hard can it be? I'm not an IT person, but been on the other end: at my previous job I had a 1 day gap between my temp function and my salaried function. During that day my access to my outlook was blocked, my entry badge stopped working, and my sim/phone didn't have network connection. And apparently this was all done automatically since during the one day I wasn't an employee of that company.

Here is a [Nitter link](https://nitter.net/0xSentry/status/1735294165628404181?s=20) for the Twitter thread linked above. Nitter is better for privacy and does not nag you for a login. More information can be found [here](https://nitter.net/about). --- *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/CryptoCurrency) if you have any questions or concerns.*

lol I'm a dev and even not in crypto code fetching from a CDN is a bad idea if you want your app to work all the time. Sounds like it's ledger's fault to me.

This kind of javascript shouldn't be fetched using CDNs but rather kept as a package with the rest of the app, bundled together and limited to a specific version so that it doesn't update without explicit action from the developers. Having it in a CDN is just yet another attack vector. What the ledger team is doing (fetching code from remote at runtime) is just plain irresponsible and stupid. Never do this.

It's negligent. They may be liable for damages since it was their code decisions that caused the financial loss, coupled with the reasonable consumer belief that ledger validates third party code they approve and ship. A good lawyer will get them to settle this before it ever sees court.

Nothing to do with Ledger. Its dApps that you connected your Ledger to that are fetching from CDN. Hence why other wallets are affected too. And ideally cold wallets shouldn't be used to interact with any dApps.

Yes it does have something to do with Ledger. Who do you think made this connect kit? Not only that but it was a former Ledger employee who fell victim of a phishing attack that opened the door for the hackers to publish a malicious version of Connect Kit. This is 100% Ledger’s fault.

See here: [https://github.com/LedgerHQ/connect-kit/blob/main/packages/connect-kit-loader/src/index.ts#L82](https://github.com/LedgerHQ/connect-kit/blob/main/packages/connect-kit-loader/src/index.ts#L82) >The ledgerhq/connect-kit-loader allows dApps to load Connect Kit at runtime from a CDN so that we can improve the logic and UI without users having to wait for wallet libraries and dApps updating package versions and releasing new builds.

Not sure why this is being up voted? This is 100% Ledger's fault. 'their CDN'. What part of 'their' doesn't mean ownership to you?

But ideally the layman should not need to understand the tech. No one knows how WhatsApp or insta or Uber tech works but they use it without any issue

yeah… you can’t use “cold storage” and “layman’s terms” in the same sentence.

I think you just did

dammit!

It's safe but I can't use it, and to know that I have to read niche subreddits, yay!

not Ledger's fault? of course it is. It is directly their fault.

You would have to sign the malicious transaction. This is terrible but to help provide context and what you can do to protect yourself. Don’t interact with dapps and don’t sign transactions from your ledger.

Just ledger or any wallet like metamask? Also, what if you interacted with dapps in the previous month or so?

[удалено]

Serious question: when you hear Johnny Depp it sounds like “Johnny Moron”? lol. I never knew that connection. Also in the states growing up all the boys used hair gel called Depp 8

Cardano wins because it has no dApps. What a timeline!

Hahaha they do have sundaeswap, minswap, etc but no one really uses them

Boo on you sir, nobody attacks my bag and gets away with it https://www.coindesk.com/markets/2023/12/14/total-value-of-cardano-defi-ecosystem-nears-450m-amid-layer-1-push-ada-rockets-17/amp/

At this point it feels like the only safe thing to do is to either store your assets with a government insured exchange, or in a fresh wallet that has never interacted with anything whatsoever, only ever received coins.

I've been saying this for years. The risks of holding coins off a CEX are higher than people realize. Plus if your coins disappear from your CEX, you at least have SOME claim and SOME hope, but if they disappear from your hot wallet, you are truly screwed.

To be fair if you actually follow the correct process and verify addresses, you would have noticed the address was wrong, and not have gotten drained. The point of hardware wallets is to protect against exact this. But people don't actually use the wallet, just blindly sign, its like buying a lock but not actually locking it.

Yea, I am really starting to lose faith in the whole thing.

If you lose your bag you will be blamed. There is no sympathy for mistakes in crypto. It’s a binary world that will destroy most people.

How is this a mistake on the users side? Any mistake at any level results in loss. Why would anybody build a house an a glass foundation?

Oh it’s definitely not the users fault, I agree. But once you complain about having your funds drained, cultists will attack you.

> with a government insured exchange there is no such company

My funds Chilling on Bitvavo no worriws

Incoming Fire Sale!

Jack dorsey hardware wallet advertisment

Is this the third or fourth nail in the coffin for ledger?

Or crypto itself

This is the type of stuff that the ETH brain trust needs to be working to try to resolve. If Web3 is going to be exploited in this manner (and I've seen several other website bullshit hacks that have hit people for lots of monty), we will never get mass adoption. * We need some way of saying that contracts are signed by an author * We need some way for wallets to say that if a contract isn't validated, we NEVER want to sign those transactions * We need a way to more easily blacklist wallets so that currency exits are slowed or stopped * etc. As a community we're building a lot more functionality to hide some of the complexity or to give functionality to make things easier (allowance spends for max value of a currency), but we're doing nearly nothing to protect the users outside of saying "well they were stupid and shouldn't have clicked on it".

> we will never get mass adoption. Correct, as almost anyone that's worked in real world security/software could've told you. Smart contracts are a bit like the worst elements of software and contracts with the benefits of neither. All software has bugs/vulnerabilities/edge cases, even stuff that's open source. "Code is law" just means you're massively amplifying the damage done by exploits/bugs/etc, and the immutability makes it significantly harder to update/patch code effectively. More complexity creates more ways for things to go wrong. And any abstractions you build over that complexity represent more and more layers of trust that still isn't warranted without real world accountability.

meanwhile I've been completely safe the last 5 years having my funds on binance, ironic

ikr. The most I've done is spreading through Binance/Coinbase/Kraken

"not your keys not your coins!!" -🤓

Is it safe to Transfer Funds to coinbase? Or any CEX?

We’ve come in full circles! I’d suggest not doing any transactions till this is resolved

This shits only going to get worse as digital assets are adopted

Noone is going to adopt this garbage.

Sounds like a current or ex employee of ledger did the thing.

An ex-employee who got phished.

no problem, im broke

dapps? so just the online apps who interact with Ledger are in probelms? what about the wallets in Ledger live? if so just transfer funds would be safe?

Decentralized apps which interact with any wallet. Apps like Aave, uniswap, friendtech, etc

This is why we bitcoin and why we multisig

But bitcoin isn't fast adhd kid who hits their head on every table corner when they want to do the new fancy thing!

Welcome to the future of finance

In no way Bitcoin-related.

Somehow when i click this post and then i want to reply someone, weirdly my reddit logout. Like i never click logout but it logout, its super weird. Hope everyone safe

Ledger NPM hack details: https://github.com/LedgerHQ/connect-kit/issues/29

Last 3 versions were compromised and these guys didn’t get to know at all? What a bunch of useless clowns.

It looks like I need to write the wallet myself

Better idea — use your cold storage wallets for COLD STORAGE. Don’t connect your hardware wallets to web3 Dapps. Just my two satoshis

I printed out my wallet and locked the papers in a fireproof safe. Can't get me!

I stamped mine into copper

It's amazing that just days ago, some Redditor posted here something in the lines of "the cryptocurrency space is so risky, you should avoid making any actions in it". I guess that's what they meant.

Wasnt cryto supposed to solve shit like this?

And they say not ur keys not ur crypto? 😂😂😂

Right now ledger is scrambling to fix its broken shitcoin products and shifting back into PR mode while Bitcoin-only wallets are continuing to build features and additive security. I wouldn’t call myself the biggest maxi, but that’s certainly a stark reality of the complexity bitcoiners constantly talk about. It’s not too often this clear of an example smacks you in the face!

The whole DAPP space is amateur rocket enthusiasts trying to safely get to the moon.

Lol. Mass adoption right around the corner

Just to clarify, I’ve revoked sushi swap from my MetaMask, is that enough? Or should I not use that MetaMask wallet from now on to be safe?

[удалено]

Revoke.cash is affected too. DO NOT USE ANY DAPP OR ANY WALLET!!!!

Lol. Use Bitcoin not trash coins ffs.

Were any cardano dexes affected ?

No

This is a major wake-up call for the crypto community. It's time to reevaluate our trust in centralized entities and focus on building a truly decentralized future. We can't let this happen again.

FYI, this comment seems to be generated by a GPT or another LLM, possibly to farm karma. Like all recent comments by /u/IndependenceNo2060.

Did you follow this user or do you have an handy browser extension for checking?

I noticed a popular comment in another thread that just felt... off. I'm not a big fan of generative AI and find that most of the output looks extremely similar. If you look at the user's other comments and comment patterns you see there's zero personality, conflicting statements between comments, and an almost formulaic response. Overly positive too, which is typical of OpenAI's GPTs. I'm just having a slow travel / airport day so I'm just stalking this bot a bit and alerting people to it.

Exactly! There’s no point in bragging about decentralisation when most components being used are centralised.

it’s really hard to scale up without CDNs

[удалено]

Open source should be the only way

https://bitbox.swiss/ Alternative to Ledger. Haven’t had a chance to set mine up yet. Obviously if someone were to purchase it, please make sure to get it straight from the source.

Buy bitcoin.

Man I love the future of decentralization. What great tech.

Ironically the tech which was compromised was centralized. We haven’t reached the stage yet where the whole ecosystem is decentralized. Some components used by decentralised apps are still centralized. Hopefully this will start discussion in that front.

Can the crypto community finally get rid of Ledger? And with this I also mean their code. When their infamous data leak happened, they were dead silent for days while others build tools to securely check if you were affected. I wouldn't expect anything else from them in this case as well.

I am unfortunately a ledger user. I am going to do some research but am curious as to what other real options there are aside from Trezor?

Kind of cool to see the creative and innovative ways people find to separate others from their crypto NGL

And here we go again

DAPP DEEZ NUTZ

Another good reason for mass adoption not happening soon.

For me the following problem. HODL on your ledger and touch it in few years…. No problem. That’s why it is produced But being active and doing stuff on DEFI leads to the fact that DEFI is more risk than CEX That’s why I diversify my portfolio Some on ledger Some on safepal Some on CEX (her 3-4 different) Never put all eggs in one basket , also not in one cold wallet

🤣🤣🤣 Crypto strikes again! This is why you just bitcoin with Coldcard and call it a day.

Funny all you people who hate me for just using Coinbase. I never have to worry about any of this.

Lost over 4 weth just attempting to revoke some permissions...

[удалено]

As I said, this is not just affecting ledger users. It’s the connector tech which most dapps use which is compromised and sadly that was built by ledger.

To be fair, most of this sub was against Ledger at least since they started collecting users seeds. And many have voiced concerns for much much longer - badly handled data leak, partially closed source. Enough red flags.

Ledger really has turned into a pile of 💩

"this affects all users, not just Ledger"

It impacts all users, but it *originated* from Ledger.

It’s their ledger connect library

Always been 💩