Major Security Vulnerability Found in Ledger Software Library, Affecting Multiple Dapps

Multiple DApps using Ledger’s connector, including Zapper, SushiSwap, Balancer and Revoke.cash, were compromised on Dec. 14.

The issue is related to a software library from Ledger wallet, the “LedgerHQ” library, that dapps rely on for use with the crypto wallet service. This vulnerability could potentially allow malicious code to be injected into numerous dapps on their front-ends, posing a significant risk to users and their assets.

Front ends to multiple dapps could be vulnerable if used. Projects like Kyber and RevokeCash confirmed on X that they disabled their front-ends.

According to latest announcement from Ledger, the malicious version of the file has been replaced with the genuine version. Ledger emphasiss that users need to always clear sign transactions, the address and the information presented on Ledger screen is the only genuine information. If there is a difference between the screen shown on your Ledger device and your computer screen, stop that transaction immediatly.

Source