DeFi Under Threat: SushiSwap Hit By Exploit, Ledger Connect Kit Vulnerability Exposed

by Murtuza Merchant, Benzinga Staff Writer
December 14, 2023 9:13 AM | 2 min read | Make a Comment
Zinger Key Points
  • Users advised to avoid all dApp interactions as the exploit impacts a wide range of applications using ledger connectors.
  • Blockaid detects a supply chain attack on ledgerconnect kit, compromising popular dApps like Zapper, SushiSwap, and RevokeCash.

In a significant development impacting the decentralized finance (DeFi) sector, the decentralized exchange SushiSwap SHUSHI/USD has reportedly fallen victim to a front-end exploit.

Matthew Lilley, the Chief Technology Officer (CTO) of Sushi, issued a warning about a widespread vulnerability linked to a "commonly used" web3 connector, urging users to refrain from interacting with any decentralized applications (dApps) until further notice.

The exploit, which allows for the injection of malicious code, is believed to affect numerous dApps across the industry.

The suspect code, as identified by Lilley, seems to be originating from a web3 connector hosted on GitHub, specifically within the LedgerHQ connect-kit repository.

The Ledger dApps Connect Kit enables developers to connect their dApps to Ledger hardware wallets using the Ledger Extension or Ledger Live.

Also Read: 2024: Ready For A Crypto Craze? Bitwise's Predictions For Bitcoin, Taylor Swift And More

This revelation has raised alarms about the security of various dApps, not limited to those associated with Sushi.

In response to Lilley's warning, a user known as Pavel_jumper inquired if the caution was exclusive to Sushi's dApps. Clarifying the severity of the situation, Lilley confirmed that the vulnerability potentially impacts "practically all dApps that use ledger connectors."

Adding to the concern, Blockaid, a cybersecurity entity, detected what appears to be a supply chain attack on the ledger connect kit.

The attacker reportedly injected a wallet-draining payload into the popular NPM package, compromising several well-known dApps, including Zapper, SushiSwap, and RevokeCash.

Meanwhile, Ledger stated that it had identified and removed the malicious version of the Ledger Connect Kit.

"A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves," Ledger added.

Responding to the attack, MetaMask asked its users to have the Blockaid feature turned on in MetaMask Extension before performing any transactions on MetaMask Portfolio.

"The MetaMask Portfolio team is on it and has a fix in place that will be rolled out today," the company said. 

Read Next: ATOM, BONK, SUI: Crypto Experts' Bullish Forecasts Set The Stage For These Targets

Photo: Shutterstock

Market News and Data brought to you by Benzinga APIs

© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.

Posted In: CryptocurrencyNewsMarketsBlockchain Technologycrypto walletdecentralized financeDeFiGitHubLedgerMatthew LilleySmart Contract
Benzinga simplifies the market for smarter investing

Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.

Join Now: Free!