DeFi at Risk as Ledger Faces Exploit; Sushi Cautions Against Engaging with Any dApps

The reported exploit prompts users to link their wallets through a pop-up, initiating a token-draining mechanism. Sushi, a decentralized finance (DeFi) protocol, faced a front-end exploit related to an industry-wide vulnerability associated with Ledger’s Connect Kit.

Ledger, a manufacturer of hardware wallets, supplies the Connect Kit software used by DeFi protocols like Lido, Metamask, Coinbase, and Sushi to connect decentralized applications (dApps) to their products. Exploiting the front end of a website or application, hackers can manipulate functions visible to users, tricking them into unintentionally sending funds to the attackers rather than their intended wallets.

Sushi’s Chief Technology Officer, Matthew Lilley, issued a warning about the compromise, advising users not to interact with any dApps until further notice. He highlighted that a commonly used web3 connector had been compromised, allowing the injection of malicious code affecting multiple dApps.

Sushi released an official statement acknowledging the critical issue with the Ledger connector’s compromise. Users were cautioned not to engage with any unexpected ‘Connect Wallet’ pop-ups on the Sushi page.

A user on platform X pointed out that Ledger’s library had been compromised, replaced with a token-draining mechanism. Ledger responded by identifying and removing the malicious version of the Ledger Connect Kit, assuring users that a genuine version was being deployed to replace the compromised file. Ledger advised users to refrain from interacting with any dApps temporarily and promised to provide updates as the situation unfolded, emphasizing that Ledger devices and Ledger Live were not compromised.

UPDATE (Dec. 14, 13:23 UTC): Adds context throughout.

UPDATE (Dec. 14, 14:49 UTC): Adds statement from Ledger.

UPDATE (Dec. 14, 15:00 UTC): Rewrites headline; changes lead photo.

UPDATE (Dec. 14, 15:58 UTC): Adds statement from Ledger.