On Thursday morning, December 14, a software program developed by French hardware wallet manufacturer Ledger was compromised by a phishing scam targeting a former employee of the company.
In the two hours that the exploit of the Javascript library Ledger Connect Kit was running, the hacker stole between $484,000 and $610,000 of user funds from the ecosystem’s most notorious decentralized applications, including Kyber, RevokeCash, Zapper, SushiSwap, Phantom, and Balancer. Metamask also initially said their users were exposed but later clarified that they were never in danger.
The security incident was a crystalline display of Web3's greatest strengths and weaknesses.
The Good
Six minutes after the hacker had deployed the malware on wallet-draining payload on the Ledger’s hard wallet app connector on Thursday morning, security firm Blockaid found the vulnerability.
Immediately after this, it began mitigating the attack by introducing the necessary security measures to its clients, simultaneously informing Ledger and the community. Five hours after the attack started, the hardware wallet company announced a fix on X, saying “, Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically.” Stablecoin Tether was also keen to point out that it had quickly frozen the address of the exploiter, making it harder for them to cash out the stolen funds.
The intrinsic open-source nature of Web3 projects makes the industry constantly prone to security threats. Every time one occurs, the industry fights back by improving security measures and mitigation strategies, becoming inherently more resilient.
One distinguishing feature of Web3 is the way competition gives way to cooperation whenever a vulnerability is being exploited. Players communicate and work together to find solutions, translating into efficient, innovative and public fixes for the problems that arise.
The Bad
In a letter published following the exploit, Ledger CEO Pascal Gauthier assured users, “The standard practice at Ledger is that no single person can deploy code without review by multiple parties. We have strong access controls, internal reviews, and code multi-signatures for most parts of our development.”
Still awaiting the results of the final investigation, the community is having a hard time believing Gauthier’s words, as the whole incident could have been avoided if the company had followed basic security measures such as revoking the former employee’s credentials upon his exit.
The attack shows how vulnerable Web3 can be to security threats. This vulnerability multiplies when considering the great interconnection between companies in the ecosystem. In a similar vein, last week Thirdweb found a vulnerability in some commonly used smart contracts that sent chills down the spine of not just a couple but hundreds of Web3 projects.
The Ugly
The same technology that allows Web3 to flourish as an industry based on principles of innovation, cooperation, and quick action also allows for a dark side to grow.
The ledger attacker was not a mastermind, but used sophisticated pre-programmed software to perform the scam - a phishing tool designed by Angel Drainer.
Web3 security exploits have become so frequent that a criminal element of the industry is growing, one that specializes in providing scammers tools for committing illegal activities. This means that the efforts made by Web3 players to implement killer security strategies will be met with equal determination by predatory users.
Not all that is ugly is bad, and the community coping mechanism of amusing public roasts of Ledger and ecosystem security are worth the scroll. However, scams continue on an almost daily basis.
