The CTO of Sushi, Matthew Lilley, has issued a warning about a possible front-end attack affecting a commonly used Web3 connector: Ledger’s connect-kit. This hack involves modifying the user interface of websites or applications, allowing hackers to divert funds. The problem affects numerous DeFi sites, including Zapper and RevokeCash.
Attack on Ledger’s Library and Hack of its Connect-Kit
Matthew Lilley, the CTO of DeFi protocol Sushi, recently issued a warning about a front-end attack that appears to target a frequently used Web3 connector in the industry: Ledger’s connect-kit. In an urgent message on X, he advises not to interact with dApps until further notice. This alert follows the discovery of a security flaw allowing the injection of malicious code affecting numerous dApps.
The front-end attack involves modifications to the user interface (UI) of a website or application. Hackers can modify functions to redirect funds to their own accounts. It is important to note that this type of attack does not allow access to wallets. Lilley specified that the suspicious code would come from the GitHub page of hardware wallet provider Ledger. A user on X highlighted that the Ledger library had been compromised and replaced with a token drainer.
Do Not Use Any dApps Until a Patch is Deployed
The problem affects several DeFi sites, including Sushi Swap, Zapper, Hey, and even RevokeCash. Therefore, it is important not to panic and wait instead of attempting to revoke access and making a mistake.