ledger

Ledger vulnerability put entire DApp ecosystem at risk: Finance Redefined

The Ledger connector vulnerability put the entire DeFi ecosystem at risk, with market experts asking users to remain cautious of using DApps even after Ledger released a patch.

Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you the most significant developments from the past week.

The past week in DeFi saw an unprecedented chain of events unfold on Dec. 14 when a malicious actor exploited a vulnerability in the Ledger hardware wallet’s connector library. The exploit put the entire decentralized application (DApp) ecosystem at risk. On-chain analysts and DApps like SushiSwap and MetaMask advised users not to interact with their wallets at all.

Ledger released a patch within hours to contain the vulnerability, but the exploiter drained over $650,000 in assets from multiple victims. However, considering the number of wallets and DApps at risk, the drained amount was considerably lower than it could have been.

How the Ledger Connect hacker tricked users into making malicious approvals

According to Cyvers, the attacker caused malicious code to be inserted into multiple app user interfaces, allowing the exploiter to fool users into confirming transactions.

The Ledger hacker who siphoned away at least $484,000 from multiple Web3 apps on Dec. 14 did so by tricking users into making malicious token approvals, according to the team behind blockchain security platform Cyvers.

According to public statements made by multiple parties involved, the hack occurred on the morning of Dec. 14. The attacker used a phishing exploit to compromise the computer of a former Ledger employee, gaining access to the employee’s node package manager JavaScript (NPMJS) account.

When a developer first writes their app, they usually install a connect kit through a node package manager. After creating a build and uploading it to their site, their app will contain the connect kit as part of its code, which will then be downloaded into the user’s browser whenever the user visits the site.

Ledger CEO explains hack, calls it ‘isolated incident’

CEO and chairman Pascal Gauthier says the company is working with law enforcement to “find this bad actor, bring them to justice.”

Ledger CEO Pascal Gauthier has addressed the Dec. 14 hack of the wallet provider’s hack in a post on the company’s blog. He said the hack of Ledger’s Javascript connector library was an “isolated incident” and promised stronger security control.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

Ledger breach possibly affecting whole EVM ecosystem — Linea

Wallet provider MetaMask was also affected by the incident. Ledger released a patch to resolve the issue but warned users to wait 24 hours before using its connector library again.

The attack on Ledger’s connector library may be impacting the whole Ethereum Virtual Machine (EVM) ecosystem, according to the Linea team, a zero-knowledge rollup by Consensys.

The hacker targeted the Ledger connector library, which was designed to enable communication between Ledger hardware wallets and various decentralized applications (DApps). Wallet provider MetaMask has also been affected by the security incident.

Blockchain analytics platform Lookonchain claimed the hacker had stolen assets worth nearly $484,000, but the impact of the security breach could be bigger, noted Ledger.

Decentralized applications pause Ledger Connect as exploit fix deployed

Ledger has since attributed the exploit to a phishing attack on a former employee.

More decentralized applications (DApps) have temporarily disabled their front-end user interface for Ledger Connect amid an exploit on Dec. 14.

Developers of the nonfungible token (NFT) platform OpenSea said on Dec. 14 that users should “not connect to any dApps using Ledger Connect until further notice.”

Meanwhile, the decentralized finance (DeFi) protocol Lido Finance stated its “front-ends have been switched off as a precautionary measure whilst the Ledger connect issue is being investigated.”

Ledger attacker drained at least $484K

The hacker behind the attack on Ledger’s connector library has stolen at least $484,000, according to blockchain analysis platform Lookonchain.

The hacker behind the attack on Ledger’s connector library stole assets worth nearly $484,000, according to blockchain analysis platform Lookonchain. Ledger has not yet confirmed the figures, but the impact of the security breach could be in the hundreds of thousands, according to the company.

Users on X (Twitter) flagged the incident on Dec. 14, claiming that a popular Web3 connector was compromised, allowing malicious code to be injected into multiple decentralized applications (DApps).

Protocols affected by the incident include Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, but the damage could be even greater. According to some users on X, the vulnerability could exist in other similar programs that are alternatives to LedgerHQ/connect-kit.

Ledger patches vulnerability after multiple DApps using connector library were compromised

Multiple decentralized applications using Ledger’s connector library have been compromised, including SushiSwap and Revoke.cash. Ledger claims the issue has been fixed.

Update (Dec. 14 at 2:45 pm UTC): This article has been updated to clarify that Ledger has reportedly fixed the issue.

The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised on Dec. 14. Nearly three hours after the security breach was discovered, Ledger reported that the malicious version of the file had been replaced with its genuine version around 1:35 pm UTC.

Ledger is warning users “to always Clear Sign” transactions, adding that the addresses and the information presented on the Ledger screen are the only genuine information. “If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”

Crypto wallet provider Ledger raises $109M as demand for self-custody soars

The funding is the first of three rounds for the hardware wallet provider, whose success has been fueled by growing awareness of crypto self-custody.

Hardware wallet provider Ledger has raised 100 million euros ($109 million) in a Series C funding round extension, placing its valuation at 1.3 billion euros ($1.4 billion), in line with its previous funding in June 2021, Bloomberg reported on March 30. The funding is the first of three investment rounds.

According to the report, a second closing is due in April, followed by a third funding to take place at a later date, given “high investor interest.” The capital will be used to expand the company’s distribution network, increase production, and develop new products.

Ledger’s new investors include VaynerFund, Cité Gestion SPV, True Global Ventures and Digital Finance Group. Previous investors include Morgan Creek, Cathay Innovation, Draper Dragon and Cap Horn, among others.

Ledger is proud to announce our Series C extension fundraising round.

We continue our mission of bringing ease-of-use and uncompromised security to your digital value.

Read what our CEO @_pgauthier has to say:https://t.co/JSHyi5jKIQ pic.twitter.com/aGi2FhOXCs

— Ledger (@Ledger) March 30, 2023

In a recent interview with Cointelegraph at Paris Blockchain Week, Ledger CEO Pascal Gauthier noted that the collapse of crypto exchanges and banks in recent months had raised the level of awareness about crypto self-custody. “Whenever the market gets stressed and whenever people fear for their savings, you know, they rush to crypto and to Ledger,” Gauthier noted.

Ledger reportedly had its best month of sales in November following the dramatic collapse of the crypto exchange FTX. According to the company, revenue from Ledger Live’s buy-and-sell crypto app has grown 200% in the past 12 months. Hardware wallet provider Trezor also benefited from FTX’s failure, reporting a 300% surge in sales revenue as a result of investors rescuing their funds.

Ledger claims to store more than 20% of crypto assets in circulation and 30% of the nonfungible tokens supply. Among recent moves, the company hired Tony Fadell, a builder of the iPhone, to design a new version of its hardware wallet.

Prominent figures in the industry have also encouraged crypto self-custody. “Self custody is a fundamental human right. You are free to do it anytime. Just make sure you do it right,” Binance CEO Changpeng Zhao said in November, advising investors to start small and learn the technology.

BIS head describes ideal ‘unified ledger’ for central banks and other financial users

Speaking in Singapore, Agustín Carstens described a ledger that would accommodate a variety of public and private projects in discrete but connectable parts.

General manager of the Bank for International Settlements Agustín Carstens spoke at the Singapore FinTech Festival on Feb. 22 and described the digital financial infrastructure he believes would best suit central bankers’ needs. He called that infrastructure a “unified ledger.”

Carstens compared the theoretical unified ledger with a smartphone, saying they both work seamlessly with a variety of components. Unlike a smartphone, a unified ledger would have open architecture, however, and would show programmability and composability; that is, it would run and bundle smart contracts. There are over 2 million apps available to smartphone users, Carstens noted. He said:

“A unified ledger is a digital infrastructure with the potential to combine the monetary system with other registries of real and financial claims.”

A unified ledger would not have to be decentralized or permissionless, Carstens said, but could accommodate a variety of projects that “use of money as a means of payment and settlement” where the central bank plays a large role in the governance of the ledger and the consumer-facing sector is in private hands.

What a major validation of our #CBDC design! Checkout the BIS paper making the case for a #DLT based CBDC where Central Bank Money, #Tokenized Deposits and Other #stablecoins coexist on common ledger with #ecosystem and #regulatory frameworks #whysandbox https://t.co/yR1WCzzYU7

— EMTECH (@emtech_inc) February 22, 2023

Central bank digital currency and tokenized deposits could exist in “partitioned” sections of the ledger, with smart contracts to facilitate their interaction, Carstens said. The ledger could be used for everything from micropayments on the Internet of Things to escrow in real estate transactions.

Carstens took the opportunity to express his current thinking on stablecoins. He said of stablecoin proponents:

“But what this view forgets is that what sustains fiat money is not the application of novel technologies but all the institutional arrangements and social conventions behind it.”

They also run the risk of depegging, he added. Stablecoins were developed because they were technically able to do things other forms of money could not. Central banks should take those roles over from them.

Carstens also raised the hackles of the crypto community on Feb. 22 with a blunt assessment of the success of cryptocurrency.

Industry execs confident in DeFi adoption despite security flaws: Finance Redefined

The top 100 DeFi token had a mixed week with majority of them losing bullish momentum from the last week.

Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week.

Industry experts are confident in DeFi and believe the sector would continue to see adoption despite its security flaws, primarily due to the mammoth failure of centralized exchanges. Despite the continued growth, however, the decentralized exchanges have lost $30 million on liquidity provider incentives.

Popular hardware crypto wallet Ledger introduced a new DeFi tracking feature that pairs with its hardware wallets to monitor performance analytics of over 1,000 protocols.

The Lodestar Finance protocol that was exploited for over $5 million on Dec. 10 had a Mango Markets connection, wherein the exploiter copied the methods used by the Mango Markets’ hacker to drain funds.

The DeFi market had a mixed week in terms of price action, where the majority of the tokens remained in the same price range as last week but lost bullish momentum.

Industry execs voice confidence in DeFi adoption despite security flaws

With DeFi being a hub for various hacks and exploits, some may feel discouraged or wary of entering the space. However, professionals within the crypto space are confident that DeFi will have broader adoption in the future.

From educating institutional investors to eliminating user experience barriers for retail investors, Web3 executives shared their thoughts on how broader DeFi adoption can be achieved.

Continue reading

Ledger hardware wallet adds DeFi tracking feature

Users and developers are seeking out ways to stay both safe and informed after a year of volatility and uncertainty. During this shift, the hardware wallet developer Ledger announced a new integration for users to track the value of their assets.

Ledger and Merlin, a DeFi portfolio tracker, announced their new partnership on Dec. 13 to bring live DeFi performance analytics to Ledger Live users. The app connects to Ledger’s cold storage wallets and services over 5 million users.

Continue reading

SushiSwap CEO reveals DEX lost $30M on LP incentives this year

According to a new tweet by SushiSwap CEO Jared Grey, the decentralized exchange (DEX) experienced a $30 million loss over the past 12 months on incentives for liquidity providers (LPs). As explained by Grey, SushiSwap currently employs a token-based emission strategy to incentivize LPs, but the current rate is “unsustainable.”

Moving forward, Grey plans to rework SushiSwap’s tokenomics so that LPs are no longer subsidized with emissions and redesign the entire model of bootstrapping liquidity on the exchange. “In Q1 2023, we will bring innovation to scale swap volume & prioritize TVL. As LPs experience a more profitable swap experience, others should migrate to Sushi,” wrote the DEX executive.

Continue reading

Hackers copied Mango Markets attacker’s methods to exploit Lodestar — CertiK

Blockchain security company CertiK has shared a post-mortem analysis of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10. Lodestar Finance hackers “artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.”

The attack occurred through a vulnerability in the PlutusDAO’s plvGLP token on Lodestar. According to its documentation, Lodestar “uses verified, secure Chainlink price feeds for every asset it offers with the exception of plvGLP.” Instead, the exchange rate of plvGLP to GLP relied on total assets divided by total supply on Lodestar.

Continue reading

DeFi market overview

Analytical data reveals that DeFi’s total value locked remained above $40 billion but saw a minor dip from the past week. Data from Cointelegraph Markets Pro and TradingView show that DeFi’s top 100 tokens by market capitalization had a volatile week, with the majority of the tokens trading in the red.

Lido DAO (LDO) was the biggest gainer among the top 100 DeFi tokens, registering a surge of 8.5% over the past week, followed by Thorchain(RUNE) with a 3% surge on the weekly chart.

Thanks for reading our summary of this week’s most impactful DeFi developments. Join us next Friday for more stories, insights and education in this dynamically advancing space.