- Major decentralized exchanges, NFT markets and games may be at risk.
- Ledger users are advised to avoid hardware wallets until the situation is clarified.
- The compromised library and JS injection mean that any app could try to steal crypto tokens, coins or NFTs.
December 14 Update: Ledger users need a miniature update to avoid resource-hungry apps. The issue was resolved just a few hours after being reported, and there is no news of any missing resources as of yet. Users need to update the Ledger software to the latest version and clear the cache to remove previous code that may generate unwanted transactions.
One of the biggest obstacles to Web3 adoption is the presence of bad actors. Among legal applications and games, players may encounter various types of malware aimed at stealing resources.
Now even the most secure hardware wallet, Ledgerhas been hit by an exploit that allows apps to siphon all assets, including tokens, coins, and NFTs.
As of December 14, multiple apps are affected and the final list is unknown.
It is recommended that all users avoid using Ledger until the situation is corrected. Malware can connect to the wallet and conduct a transaction even without the user’s explicit consent.
The exploit situation continues to evolve. The immediate information shows that some of the leading exchanges, such as SushiSwap, may be at risk.
The potential exploit appears at a time of rising token and coin prices, as well as increased user activity on Ethereum, Solana and other networks. Potentially malicious JS code can be injected into many applications, so none will be considered secure.
Avoid Web3 interfaces and applications until Ledger clears things up
Application interfaces in Web3 can also affect web wallets such as MetaMask. Following the Ledger library attack, all Web3 applications, NFT sales, and other interfaces are considered risky.
Ledger is typically used as a long-term data storage device, not typically connected as a warm wallet. For short-term NFT sales or gaming connections, users can build a modern wallet containing only the amount of assets for planned transactions.
Other Web3 games and applications try to get rid of the wallet connection and instead exploit the resources contained in the game. Wallets remain a highly secure technology, but risks also come from interacting with astute contracts and other features that are not immediately apparent to the user.
End users may also be prompted to sign the transaction. The best way to exploit Web3 is to enable manual approval for each transaction. Apps that exploit wallet as a service or in-game resources are more secure wallet slimmers.
