- Major decentralized exchanges, NFT markets and games may be compromised.
- Ledger users are advised to avoid their hardware wallets until the situation clears.
- A compromised library and JS injection means any app can try to steal crypto tokens, coins, or NFT.
Updated December 14: Ledger users need a small update to avoid asset-draining apps. The issue has been resolved just hours after reporting, and so far there are no news of missing assets. Users must be updated to the latest version of Ledger software and clear their cache for previous code that may generate unwanted transactions.
One of the biggest obstacles to Web3 adoption is the presence of bad actors. Among legitimate apps and games, players can encounter various types of malicious software that aims to steal assets.
Now, even the most secure hardware wallet, Ledger, has been affected by an exploit that allows apps to drain all assets, including tokens, coins and NFT.
As of December 14, multiple apps are affected and the final list is unknown.
All users are urged to avoid using Ledger until the situation is fixed. Malicious software can make a call to a wallet and create a transaction even without the user’s explicit consent.
The exploit situation is still developing. Immediate information shows some of the leading exchanges such as SushiSwap may be compromised.
The potential exploit arrives at a time of growing token and coin prices, as well as increased user activity on Ethereum, Solana and other networks. Potentially, the malicious JS code may be injected into multiple apps, so none are considered safe.
Avoid Web3 Frontends and Apps Until Ledger Gives the All-Clear
App frontends in Web3 can also affect online wallets like MetaMask. After the compromised library for Ledger, all Web3 apps, NFT sales and other frontends are considered risky.
Ledger is usually used as a long-term storage device, not usually connected as a hot wallet. For short-term NFT sales or game connections, users may build a new wallet with just the amount of assets for planned transactions.
Other Web3 games and apps try to do away with a wallet connection, instead using in-game wrapped assets. Wallets remain a highly secure technology, but the risk also lies in interacting with smart contracts and other features not immediately visible to the user.
End users may also receive a prompt to sign a transaction. The best approach to use Web3 apps is to turn on the feature for approving each transaction manually. Apps that use wallet-as-a-service or in-game assets are safer from wallet drainers.