Following the hack that affected its Connect Kit, Ledger has pledged to compensate victims by the end of February 2024. Here’s a look back at the actions taken
Ledger promises to help victims of December 14 hack
Last week, Ledger’s Connect Kit fell victim to a hack, resulting in approximately $600,000 in losses to users who signed fraudulent authorizations.
Shortly after the incident, CEO Pascal Gauthier pledged that Ledger would devote “as many internal and external resources as possible to help those affected recover their assets”.
On Wednesday, the hardware wallet manufacturer reiterated this promise:
We are 100% focused on following up last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.
We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.
Ledger…
– Ledger (@Ledger) December 20, 2023
As a brief reminder, the hacker had managed to introduce malicious code into a JavaScript library in the Ledger Connect Kit, enabling him to drain funds from victims interacting with decentralized finance (DeFi) applications.
As a result, Ledger is committed to ensuring that victims, whether or not they are customers of the company, recover their stolen funds in one way or another by the end of February next year:
“We are committed, by all possible means, including goodwill gestures, to ensuring that this is done by the end of February 2024. We are already in contact with many affected users and are actively working with them on the details. “
Generalized clear signatures by June
One of the elements that could have slowed down the drainage of funds is clear signatures. Yet blind signing is still all too common in the DeFi ecosystem, making it impossible to know precisely the ins and outs of any transaction you authorize.
This state of affairs facilitates security incidents such as this one. For example, a hacker can carry out a front-end attack on a decentralized application (DApp) more effectively, so that its users sign a transaction granting rights to a fraudulent smart contract rather than that of the said DApp.
With blind signing, it’s more difficult to identify these attempted hijackings. That’s why Ledger is announcing that this will no longer be possible with their devices, by June 2024.
To this end, the company is inviting developers to integrate its “Clear Signing” feature into their applications:
“The only foolproof countermeasure against this type of attack is to always check what you consent to on your device. This is only possible with Clear Signing: which means you can see and verify exactly what you’re signing on a secure screen. If the ecosystem continues to allow blind signing, users remain at risk. We urge DApp developers to support the Clear Signing security brick. “
In addition, the company is calling on people who granted permissions to affected DApps on December 14 to revoke those permissions. This can be done with services such as Revoke.cash.
In addition, a help page has been created for victims, and Ledger also warns against phishing attempts, reminding that on X, its two official accounts are @ledger and @ledger_support.
