DeFi Under Threat: SushiSwap Hit By Exploit, Ledger Connect Kit Vulnerability Exposed
In a significant development impacting the decentralized finance (DeFi) sector, the decentralized exchange SushiSwap (CRYPTO: SHUSHI) has reportedly fallen victim to a front-end exploit.
Matthew Lilley, the Chief Technology Officer (CTO) of Sushi, issued a warning about a widespread vulnerability linked to a "commonly used" web3 connector, urging users to refrain from interacting with any decentralized applications (dApps) until further notice.
RED ALERT :
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I'm Software (@MatthewLilley) December 14, 2023
The exploit, which allows for the injection of malicious code, is believed to affect numerous dApps across the industry.
The suspect code, as identified by Lilley, seems to be originating from a web3 connector hosted on GitHub, specifically within the LedgerHQ connect-kit repository.
The Ledger dApps Connect Kit enables developers to connect their dApps to Ledger hardware wallets using the Ledger Extension or Ledger Live.
Also Read: 2024: Ready For A Crypto Craze? Bitwise's Predictions For Bitcoin, Taylor Swift And More
This revelation has raised alarms about the security of various dApps, not limited to those associated with Sushi.
In response to Lilley's warning, a user known as Pavel_jumper inquired if the caution was exclusive to Sushi's dApps. Clarifying the severity of the situation, Lilley confirmed that the vulnerability potentially impacts "practically all dApps that use ledger connectors."
Adding to the concern, Blockaid, a cybersecurity entity, detected what appears to be a supply chain attack on the ledger connect kit.
The attacker reportedly injected a wallet-draining payload into the popular NPM package, compromising several well-known dApps, including Zapper, SushiSwap, and RevokeCash.
Meanwhile, Ledger stated that it had identified and removed the malicious version of the Ledger Connect Kit.
"A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves," Ledger added.
Responding to the attack, MetaMask asked its users to have the Blockaid feature turned on in MetaMask Extension before performing any transactions on MetaMask Portfolio.
"The MetaMask Portfolio team is on it and has a fix in place that will be rolled out today," the company said.
Read Next: ATOM, BONK, SUI: Crypto Experts' Bullish Forecasts Set The Stage For These Targets
Photo: Shutterstock