Ledger Code Library Attacker Drains $480k After Compromising Dozens of Web3 Dapps

Ledger’s connector library was compromised and injected with malicious drainer

By: Pedro Solimano Loading...

Ledger Code Library Attacker Drains $480k After Compromising Dozens of Web3 Dapps

A code library maintained by crypto wallet provider Ledger was compromised today putting user funds at risk for more than five hours.

As per, the address holds roughly 66 ETH from 75 tokens, worth roughly $98,000, with Lookonchain reporting that the attacker managed to drain $484,000 in assets. The attacker’s address was blacklisted by USDT issuer Tether.

Ledger, the largest hardware wallet provider by number of users, posted on X that a safe version of its Ledger Connect Kit is being propagated automatically. The company recommends waiting for 24 hours before interacting with the connector again.

The attacker infected Ledger's Connect Kit -- a popular code library which facilitates interactions between user wallets and dApps-- with malicious software in a so-called “supply-chain attack.”

Crypto Users at Risk

Any user confirming transactions with crypto wallets, whether via Ledger or not, was at risk of losing funds, as many web3 dapps use Ledger’s library. Prominent crypto developers urged users not to interact with any web3 dApps.

Matthew Lilley, the CTO of Sushi, flagged the exploit on social media. Banteg, a core contributor for Yearn, posted that Ledger’s library had been compromised and “replaced with a drainer.”

Ledger tweeted roughly one hour after the exploit was identified to say it had removed the malicious code.

"The malicious version of the file was replaced with the genuine version at around 2:35pm CET," Ledger said. "Your Ledger device and Ledger Live were not compromised.... We will provide a comprehensive report as soon as it’s ready."

The malicious software was live for 5 hours, although the company managed to patch and fix the problem within 40 minutes of discovering it, Ledger siad. Ledger has also rotated permissions to publish on their Github.

SushiSwap, and Revoke.Cash have updated their libraries with the fixed version, whereas Zapper announced they disabled the compromised frontend.