2 min read

Ledger Token Drainer Exploit Affects Several Decentralized Finance Protocols


December 15, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Ledger Token Drainer Exploit Affects Several Decentralized Finance Protocols

DeFi Protocols Under Threat

A novel exploit heavily impacting several decentralized finance (DeFi) protocols could put cryptocurrency owners at risk.

The shortcoming was signaled by Sushi’s Chief Technology Officer Matthew Lilley, who warned that the industry-wide front-end exploit is related to Ledger’s Connect Kit.

Ledger Connect Kit Exploit

Ledger is a popular hardware wallet used by many crypto enthusiasts to protect their digital assets. It also provides the Connect Kit software used by several DeFi protocols, including Metamask, Lido, Sushi and Coinbase to establish connections between decentralized applications (dApps) and Ledger products.

“Do not interact with ANY dApps until further notice,” reads Lilley’s post on X. “It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.”

Lilley also tagged Ledger in the thread, pointing out that the perpetrator loads suspicious code from Ledger’s own Connect Kit repository on GitHub. The flaw reportedly triggers a token drainer after prompting users to connect their wallets via a pop-up.

Ledger Confirms and Fixes Exploit

Ledger confirmed the attack in a post on X, stating that a former employee fell prey to phishing, allowing a threat actor to access their NPMJS account and inject malicious code into the Connect Kit. It also said the malicious code affecting versions 1.1.5, 1.1.6, and 1.1.7 of the Ledger Connect Kit has been removed and replaced with the “genuine and verified” version 1.1.8.

The company also reported the wallet address of the threat actor, who had already siphoned some funds from victims using a rogue WalletConnect project; stablecoin issuer Tether has frozen the rogue USDT account.

“Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware,” reads Ledger’s announcement on X. “The malicious file was live for around 5 hours, however we believe the window where funds were drained was limited to a period of less than two hours.”

Clear vs. Blind Signing in Crypto Transactions

Users are advised to always Clear Sign transactions with their Ledger wallets instead of Blind Signing, as it provides more transparency.

Ledger recently faced quite some controversy due to its “Recover” feature. While the service is meant to help users recover lost private keys, crypto enthusiasts met it with skepticism and disapproval, believing it undermines the principle upon which crypto was built. Last month, a rogue developer stole roughly $768,000 in crypto after uploading a fake Ledger Live app to the Microsoft app store.

Staying Safe: The Importance of Being Informed

Detecting and preventing scams is often daunting, especially for those who dip their toe in crypto's fascinating yet dangerous realm. However, staying informed about the latest threats can go a long way in dodging the wave of crypto scams.




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like