Hardware wallet maker Ledger has announced that it plans to reimburse the victims of last week’s Connect Kit exploit, which saw the attacker siphon off $600,000 worth of crypto assets.
Ledger stated that the company would ensure all impacted users are made whole, while blind signing will be disallowed by June 2024.
Ledger To Reimburse Hack Victims
Ledger announced the decision on X (formerly Twitter), stating that it was aware of the $600,000 worth of assets stolen or impacted from users through blind signing on Ethereum Virtual Machine (EVM) decentralized applications (dApps). Several decentralized applications using Ledger’s connector library, including SushiSwap and Revoke.Cash was compromised on the 14th of December, leading to massive losses. In its announcement, Ledger stated it would ensure that impacted users would be reimbursed.
“We are 100% focused on following up on last week’s security incident, making sure incidents like this are prevented in the future and that the ecosystem remains safe. We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps. Ledger will make sure victims affected will be made whole and are committing to work with the DApp ecosystem to allow Clear Signing and no longer allow Blind Signing with Ledger devices by June 2024.”
Ledger stated that it planned to finish reimbursing impacted users by February 2024, adding that it was already in contact with some impacted users.
“We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February, 2024. We are already in contact with many impacted users and are actively working through the specifics with them.”
Plans To Bolster Security
Ledger also discussed plans to bolster security measures and work with decentralized apps (dApps) to allow clear signing while sunsetting blind signing. Ledger said it expects to sunset blind signing with Ledger devices by June 2024. Clear signing aims to help Ledger users avoid malicious transactions. It does this by summarizing the transaction on their device. In blind signings, users can only see the raw data.
“We are announcing that by June 2024, users will no longer be able to Blind Sign with Ledger devices. Our commitment is to work with the community and DApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across DApps.”
The Ledger Connector Hack
The exploit occurred on the 14th of December when the attacker took control of Ledger’s Connect Kit library. They were able to do so after gaining access to the firm’s internal systems by hacking a former employee. The attacker injected malicious software into the library, allowing them to compromise the front end of several decentralized applications, including SushiSwap. As a result, unsuspecting Ledger users were tricked into connecting their Ledger wallets to a drainer.
Ledger issued a fix within hours of the exploit and began efforts to track down the hacker, with their address visible on Chainalysis.
“The malicious version of the file was replaced with the genuine version at around 2:35 pm CET. The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready. In the meantime, we’d like to remind the community to always Clear Sign your transactions.”
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
