Ledger attack shows company ‘learned nothing’ after multiple breaches: ENS developer
Crypto community members have posted their responses to the Ledger Connect Kit exploit that affected multiple decentralized applications (DApps) across the Web3 space.
On Dec. 14, a hacker attacked the front end of multiple DApps using Ledger’s connector. The exploiter breached major apps such as SushiSwap, Phantom and Revoke.cash and stole at least $484,000 in digital assets.
Ledger announced that it had fixed the problem three hours after the initial reports about the attack. The firm’s CEO, Pascal Gauthier, said it was an isolated incident and noted that they are working with the relevant law enforcement agencies to find the hacker and “bring them to justice.”
While Ledger claims it was an isolated event, Linea, a zero-knowledge rollup by Consensys, warned Web3 users that the vulnerability could affect the entire Ethereum Virtual Machine (EVM) ecosystem.
A day after the incident, community members went on X (Twitter) to express their sentiments about the Ledger incident. Some advised followers to use other wallet platforms, while others called on Ledger to open-source everything.
Ledger’s security explained pic.twitter.com/6hTeXYVWco
— Crypto PM (@CryptoPM_) December 15, 2023
On Dec. 15, Bitcoin (BTC) supporter Brad Mills told his X followers to use Bitcoin-only hardware built by Bitcoin engineers focused on securing BTC. Mills urged community members never to onboard their friends to BTC with hardware wallets Ledger or Trezor.
In 2020, another Ledger incident led to the leaking of user information like mailing addresses, phone numbers and email addresses. Referring to previous Ledger breaches, Ethereum Name Service developer Nick Johnson said in a post that no one should recommend their hardware or use their libraries.
Okay, so it’s clear @Ledger has learned nothing about opsec from multiple breaches. At this point I don’t think anyone should in good conscience recommend their hardware or use their libraries.
— nick.eth (@nicksdjohnson) December 15, 2023
According to Johnson, Ledger showed a consistent disregard for operational security and no longer deserves the “benefit of the doubt that they’ll improve.”
Related: Decentralized applications pause Ledger Connect as exploit fix deployed
Meanwhile, crypto trader and analyst Krillin criticized Ledger and called them out for spending a day removing negative comments under their posts on X.
During the hack on Dec. 14, the attacker utilized a phishing exploit to gain access to the computer of a former Ledger employee. The employee’s node package manager JavaScript account was accessed, leading to the breach.
Following the hack, a community member advised Ledger to “open-source everything” and let the community be their “surgeon” to stitch them back together. The company announced on May 24 that it had open-sourced many of its applications and is committed to open-sourcing more of its code.
According to community members, transparency is not a luxury but a lifeline. “Trust, once lost, demands open veins, not veiled promises.”
Magazine: ‘Account abstraction’ supercharges Ethereum wallets: Dummies guide
