Ledger to Disable Blind Signing for EVM DApps by June 2024, Compensate Victims of Recent Exploit

According to CryptoPotato, Ledger, a hardware wallet manufacturer, has announced plans to disable blind signing for Ethereum Virtual Machine (EVM) decentralized applications (DApps) by June 2024. The decision comes in response to an exploit where a wallet drainer was added to a library utilized by numerous DApps to connect to Ledger devices. The company revealed that approximately $600,000 in crypto assets were stolen during the recent exploit and committed to compensating affected victims. Ledger declared that it would discontinue the practice of blind signing with Ledger devices by June 2024, aiming to establish a new standard to enhance user protection and promote clear signing across decentralized applications. In the recent exploit last week, developers on Twitter identified a malicious version of the Ledger Connect Kit, a library facilitating the connection between Ledger devices and DApps. According to Web3 security firm BlockAid, the attacker injected a wallet-draining payload into the Ledger Connect Kit’s NPM package, allowing them to drain funds from users who signed on DApps like Sushi.com and Hey.xyz. MetaMask, a software wallet developer, cautioned users to “stop using DApps” following news of the attack. Ledger confirmed that the attack occurred due to a former employee falling victim to a phishing attack, which allowed the attacker to access the former employee’s NPMJS account and push a malicious version of the Ledger Connect Kit. This compromised Connect Kit rerouted user funds from any wallet connecting to a DApp using it to the hacker’s wallet. Ledger responded swiftly, deploying a fix within 40 minutes of its security teams alerting it. A new version of the Connect Kit (1.1.8) has been released. The exploit did not compromise Ledger devices and the Ledger Live app.