Crypto hardware wallet provider Ledger is implementing changes to transaction signing processes following an exploit in the Ledger Connect Kit software library on December 14.
Ledger acknowledged approximately $600,000 in assets impacted and stolen from users engaging in blind signing on EVM DApps.
The company commits to working with the DApp ecosystem to enable clear signing and cease blind signing with Ledger devices by June 2024. Both ledger and non-ledger customers affected by the exploit will be reimbursed by the end of February 2024.
Ledger urges users who signed transactions on affected DApps to revoke unauthorized transactions to prevent further impact. The company aims to establish a new standard for user protection through clear signing across DApps.
Blind signing involves users approving on-chain transactions with their private key based on raw, unreadable data. In contrast, clear signing provides a summarized transaction for users to review before execution.
The exploit, linked to a critical vulnerability in decentralized applications, allowed malicious code injection, resulting in asset theft. Ledger removed the code, but an estimated $500,000 in funds was affected.
The attack began with a phishing attack on a former Ledger employee. Ledger emphasizes this incident as an isolated event, noting that the attacker focused on the session token rather than credentials.
Image Credit: Shutterstock
Keep in mind that we may receive commissions when you click our links and make purchases. However, this does not impact our reviews and comparisons. We try our best to keep things fair and balanced, in order to help you make the best choice for you.
