{"id":34359,"date":"2023-12-20T23:52:51","date_gmt":"2023-12-21T03:52:51","guid":{"rendered":"http:\/\/cryptocornercafe.com\/cafe\/?p=34359"},"modified":"2023-12-20T23:52:51","modified_gmt":"2023-12-21T03:52:51","slug":"ledger-commits-to-full-restitution-for-victims-of-600000-connectkit-attack","status":"publish","type":"post","link":"http:\/\/cryptocornercafe.com\/cafe\/2023\/12\/20\/ledger-commits-to-full-restitution-for-victims-of-600000-connectkit-attack\/","title":{"rendered":"Ledger Commits To Full Restitution For Victims Of $600,000 ConnectKit Attack"},"content":{"rendered":"

Hardware wallet manufacturer Ledger has responded to a recent security breach <\/a>resulting in the theft of $600,000 worth of user assets.\u00a0<\/p>\n

The company has pledged to enhance its security protocols by eliminating Blind Signing, a process where transactions are displayed in code rather than plain language, by June 2024.<\/p>\n

Ledger Takes Responsibility For ConnectKit Attack<\/h2>\n

In a statement<\/a>, Ledger emphasized its focus on addressing the recent security incident and preventing similar occurrences in the future.\u00a0<\/p>\n

The company acknowledged the approximately $600,000 in assets that were impacted by the ConnectKit attack, particularly affecting users<\/a> blind signing on Ethereum Virtual Machine (EVM) decentralized applications (dApps).\u00a0<\/p>\n

Furthermore, Ledger pledged to make sure affected victims are fully compensated, including non-Ledger customers, with CEO & Chairman Pascal Gauthier personally overseeing the restitution process.\u00a0<\/p>\n

According to the statement, Ledger has already initiated contact with affected users and is actively working with them to resolve their specific cases<\/a>.<\/p>\n

In addition, by June 2024, blind signing will no longer be supported on Ledger devices, contributing to a \u201cnew standard of user protection\u201d and advocating for \u201cClear Signing,\u201d which refers to a process that allows users to verify transactions on their Ledger devices before signing them across dApps.<\/p>\n

On this matter, Ledger\u2019s CEO Pascal Gauthier stated<\/a>:\u00a0<\/p>\n

My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.<\/p>\n

Heightened dApp Security Measures<\/h2>\n

According to an incident report <\/a>released by the hardware wallet manufacturer, the attack exploited the Ledger Connect Kit, injecting malicious code into dApps utilizing the kit.\u00a0<\/p>\n

This malicious code redirected assets to the attacker\u2019s wallets, tricking EVM dApp users<\/a> into \u201cunknowingly signing transactions\u201d that drained their wallets.\u00a0<\/p>\n

Ledger addressed the attack by deploying a genuine fix for the Connect Kit within 40 minutes of detection. The compromised code remained accessible for a limited time due to the nature of content delivery networks (CDNs) and caching mechanisms.<\/p>\n

Ledger acknowledged the risks faced by the entire industry in safeguarding users and emphasized the need to continually raise the bar for security in dApps.\u00a0<\/p>\n

The company plans to strengthen its access controls, conduct audits of internal and external tools, reinforce code signing, and improve infrastructure monitoring and alerting systems.\u00a0<\/p>\n

Additionally, Ledger will educate users <\/a>on the importance of Clear Signing and the potential risks associated with blind signing transactions without a secure display.<\/p>\n

Notably, with Clear Signing, users are presented with a clear and readable representation of the transaction details, enabling them to review and validate the transaction before providing their signature.\u00a0<\/p>\n

This added layer of transparency and verification helps users mitigate the risks associated with front-end attacks or malicious code injected into decentralized applications<\/p>\n

Featured image from Shutterstock, chart from TradingView.com<\/p>","protected":false},"excerpt":{"rendered":"

<\/p>\n

Hardware wallet manufacturer Ledger has responded to a recent security breach <\/a>resulting in the theft of $600,000 worth of user assets.\u00a0<\/p>\n

The company has pledged to enhance its security protocols by eliminating Blind Signing, a process where transactions are displayed in code rather than plain language, by June 2024.<\/p>\n

Ledger Takes Responsibility For ConnectKit Attack<\/h2>\n

In a statement<\/a>, Ledger emphasized its focus on addressing the recent security incident and preventing similar occurrences in the future.\u00a0<\/p>\n

The company acknowledged the approximately $600,000 in assets that were impacted by the ConnectKit attack, particularly affecting users<\/a> blind signing on Ethereum Virtual Machine (EVM) decentralized applications (dApps).\u00a0<\/p>\n

Furthermore, Ledger pledged to make sure affected victims are fully compensated, including non-Ledger customers, with CEO & Chairman Pascal Gauthier personally overseeing the restitution process.\u00a0<\/p>\n

According to the statement, Ledger has already initiated contact with affected users and is actively working with them to resolve their specific cases<\/a>.<\/p>\n

In addition, by June 2024, blind signing will no longer be supported on Ledger devices, contributing to a \u201cnew standard of user protection\u201d and advocating for \u201cClear Signing,\u201d which refers to a process that allows users to verify transactions on their Ledger devices before signing them across dApps.<\/p>\n

On this matter, Ledger\u2019s CEO Pascal Gauthier stated<\/a>:\u00a0<\/p>\n

My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.<\/p>\n

Heightened dApp Security Measures<\/h2>\n

According to an incident report <\/a>released by the hardware wallet manufacturer, the attack exploited the Ledger Connect Kit, injecting malicious code into dApps utilizing the kit.\u00a0<\/p>\n

This malicious code redirected assets to the attacker\u2019s wallets, tricking EVM dApp users<\/a> into \u201cunknowingly signing transactions\u201d that drained their wallets.\u00a0<\/p>\n

Ledger addressed the attack by deploying a genuine fix for the Connect Kit within 40 minutes of detection. The compromised code remained accessible for a limited time due to the nature of content delivery networks (CDNs) and caching mechanisms.<\/p>\n

Ledger acknowledged the risks faced by the entire industry in safeguarding users and emphasized the need to continually raise the bar for security in dApps.\u00a0<\/p>\n

The company plans to strengthen its access controls, conduct audits of internal and external tools, reinforce code signing, and improve infrastructure monitoring and alerting systems.\u00a0<\/p>\n

Additionally, Ledger will educate users <\/a>on the importance of Clear Signing and the potential risks associated with blind signing transactions without a secure display.<\/p>\n

Notably, with Clear Signing, users are presented with a clear and readable representation of the transaction details, enabling them to review and validate the transaction before providing their signature.\u00a0<\/p>\n

This added layer of transparency and verification helps users mitigate the risks associated with front-end attacks or malicious code injected into decentralized applications<\/p>\n

Featured image from Shutterstock, chart from TradingView.com<\/p>\n

<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[82],"tags":[],"class_list":["post-34359","post","type-post","status-publish","format-standard","hentry","category-blockchain"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/posts\/34359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/comments?post=34359"}],"version-history":[{"count":1,"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/posts\/34359\/revisions"}],"predecessor-version":[{"id":34364,"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/posts\/34359\/revisions\/34364"}],"wp:attachment":[{"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/media?parent=34359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/categories?post=34359"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cryptocornercafe.com\/cafe\/wp-json\/wp\/v2\/tags?post=34359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}