The decentralized exchange protocol SushiSwap has been one of those affected by the vulnerability detected in Ledger Connect Kit.
The Web3 connector commonly used in the crypto industry, Ledger Connect Kit, has suffered an attack that may affect decentralized applications (DApps) that connect through this service, as well as user funds. For now, Ledger and DApps developers recommend users Do not interact with any decentralized application until the vulnerability is fully resolved.
Ledger recently reported that the existing vulnerability in its Web3 connector had been detected and that the team was working on a quick fix.
According to what was reported by the company, the attackers took advantage of an existing vulnerability to compromise the security of Ledger Connect, injecting malicious code into the service that has affected some DApps, including SushiSwap.
According to Ledger, The vulnerability has already been detected and eliminated. The developer team has replaced the malicious code in Ledger Connect and is implementing a genuine and safe version of the code that “should spread soon”.
Meanwhile, DApp developer teams recommend users Stay away from your decentralized applications right now.
SushiSwap warns about Ledger Connect security
SushiSwap CTO Matthew Lilley said on X (formerly Twitter) that users who are using the SushiSwap website and see an unexpected “Connect Wallet” pop-up, do not interact or connect your wallet, in as much as they could lose all funds.
From its official account, SushiSwap has also warned users, stating that the security of Ledger Connect has been compromised and that the malicious code that was injected into the service was affecting the protocol and several other DApps. “For your safety, please refrain from interacting with any DApp until further notice,” the DEX protocol wrote on the social network, encouraging users to wait for new updates.
A large-scale attack targeting DApps
Apoorv Lathey, lead developer of NFTX, explained that the vulnerability allows an attack that asks DApp users to connect their wallets through a scam popup that appears on the respective web pages and application interfaces, and that activates a token drain once users connect their wallets.
“This fraudulent popup might try to open your MM to sign a transaction and empty your account”, commented the expert.
Source: @apoorvlathey
On the other hand, regarding the security of the Ledger hardware wallet, the company has reported that the hardware device and the Ledger Live plugin have not been compromised by the recent vulnerability, so the funds are safe for those users who refrain from make transactions at this time.
Continue reading: Beware: Ledger user warns about scam with fake device that arrived at his house
