A widespread exploit linked to Ledger's Connect Kit shakes the decentralized finance (DeFi) landscape, leading Sushi to issue a stark warning against any dApp interactions.

Sushi's Chief Technology Officer raised the alarm over a systemic vulnerability tied to Ledger's Connect Kit, as the decentralized finance (DeFi) realm faced a critical front-end exploit.

Ledger, renowned for its hardware wallets, supplies the Connect Kit software employed by various decentralized finance protocols, including Lido, Metamask, Coinbase, and Sushi. This kit facilitates the connection of decentralized applications (dApps) to Ledger's products. By compromising the front end of websites or applications, hackers can manipulate user interfaces, deceiving individuals into unwittingly transferring funds to the exploiters instead of their intended wallets.

In a stark warning on X, Sushi CTO Matthew Lilley urged caution: “Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised, allowing for the injection of malicious code affecting numerous dApps.”

The reported exploit involves users being prompted to connect their wallets through a pop-up, triggering a token-draining mechanism. Similar issues have surfaced across other DeFi platforms, including Zapper and RevokeCash.

Within five hours of the security breach, Ledger released a post-mortem on X. It revealed that a former Ledger employee fell victim to a phishing attack, enabling a hacker to insert malicious code into Ledger's Connect Kit. The compromised code has since been eradicated, and Tether, a stablecoin issuer, took action by freezing the hacker's wallet.

"We've identified a critical issue: the Ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps," stated Sushi in an official statement. "If you have the Sushi page open and see an unexpected 'Connect Wallet' pop-up, DO NOT interact or connect your wallet."

An X user pointed out that Ledger’s library had been compromised, replaced with a token-draining mechanism.

Ledger assured users that it had "identified and removed a malicious version of the Ledger Connect Kit." A legitimate version is currently being deployed to replace the compromised file. The advisory remained clear: "Do not interact with any dApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised."

(Photo Source: Ledger)