Ledger patches vulnerability after multiple DApps using connector library were compromised
Multiple decentralized applications using Ledger’s connector library have been compromised, including SushiSwap and Revoke.cash. Ledger claims the issue has been fixed.
Update (Dec. 14 at 2:45 pm UTC): This article has been updated to clarify that Ledger has reportedly fixed the issue.
The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised on Dec. 14. Nearly three hours after the security breach was discovered, Ledger reported that the malicious version of the file had been replaced with its genuine version around 1:35 pm UTC.
Ledger is warning users “to always Clear Sign” transactions, adding that the addresses and the information presented on the Ledger screen are the only genuine information. “If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”