Sushi’s CTO, Matthew Lilley, issued a warning tonight that the commonly used Web3 connector may have been compromised, and users are advised not to interact with any dApps for now. Please wait patiently for further instructions.
Subsequent updates revealed that the issue mainly stemmed from dApps that integrated the “poisoned Ledger Connect package.” Matthew Lilley provided detailed explanations in subsequent tweets.
In addition, SlowMist founder Yu Xian also posted on X platform explaining that the front ends of Sushi, Zapper, and RevokeCash have been affected by this. Kyber has also closed its front end for security reasons. Affected dApp front ends may display malicious transactions to lure users into signing, which could lead to direct loss of user funds once signed and confirmed. According to ZachXBT’s statistics, an estimated $610,000 or more in assets have been stolen. For security reasons, users are advised not to interact with any dApps until the incident is resolved.
Shortly after, Ledger officially announced that the team has identified and removed the malicious version of Ledger Connect Kit, and is now pushing the legitimate version to replace the malicious files. However, users are still advised not to interact with any dApps temporarily.
“Update December 25, 10:50 (UTC+8)”
According to Ledger’s official announcement, the new secure version of Ledger Connect Kit 1.1.8 has been successfully deployed, and the malicious code affecting Ledger and WalletConnect has been disabled. The issue has been largely mitigated, and users can now safely use Ledger Connect Kit.
However, SlowMist founder Yu Xian warned that the poisoned code may still be in your browser cache. To ensure the highest level of security, it is recommended to clear your browser cache first and wait for 24 hours before proceeding for added safety. Additionally, make sure to carefully review the transaction messages before signing when interacting with dApps.