Ledger security flaw jeopardizes the entire decentralized application ecosystem: Finance Redefined

Welcome to Finance Redefined, your weekly source of vital decentralized finance (DeFi) insights — a newsletter designed to deliver the most important updates from the previous week.

The last week in DeFi witnessed an extraordinary series of events on Dec. 14 when a malicious individual took advantage of a flaw in the Ledger hardware wallet’s connector library. This exploit jeopardized the entire decentralized application (DApp) ecosystem. On-chain analysts and DApps such as SushiSwap and MetaMask cautioned users against interacting with their wallets entirely.

Ledger issued a patch within hours to address the vulnerability; however, the attacker managed to siphon off over $650,000 in assets from various victims. Nevertheless, given the number of wallets and DApps exposed, the total amount drained was significantly less than it could have been.

How the Ledger Connect hacker deceived users into granting malicious approvals

The “Ledger hacker,” who extracted at least $484,000 from several Web3 applications on Dec. 14, accomplished this by misleading Web3 users into granting malicious token approvals, as reported by the team at blockchain security platform Cyvers.

As per public statements from various parties involved, the breach took place on the morning of Dec. 14. The attacker employed a phishing exploit to infiltrate the computer of a former Ledger employee, thereby gaining access to the employee’s node package manager javascript account.

Continue reading

Ledger addresses vulnerability after multiple DApps utilizing connector library were compromised

The front end of several decentralized applications (DApps) utilizing Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, were compromised on Dec. 14. Nearly three hours after the security incident was identified, Ledger announced that the malicious version of the file had been replaced with the authentic version around 1:35 pm UTC.

Ledger is advising users “to always Clear Sign” transactions, emphasizing that the addresses and information displayed on the Ledger screen are the only authentic details. “If there’s a discrepancy between the screen shown on your Ledger device and your computer/phone screen, halt that transaction immediately.”

Continue reading

Yearn.finance appeals to arb traders to return funds after $1.4 million multisig error

The decentralized finance protocol Yearn.finance is appealing to arbitrage traders to return $1.4 million in funds following a multisignature scripting error that drained a significant portion of the protocol’s treasury.

“A defective multisig script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped,” as stated in a Dec. 11 GitHub post by Yearn contributor “dudesahn.”

Continue reading

OKX DEX experiences $2.7 million exploit after proxy admin contract upgrade

OKX decentralized exchange (DEX) experienced a $2.7 million hack on Dec. 13 after the private key of the proxy admin owner was reported to have been compromised.

On Dec. 13, the blockchain security firm SlowMist Zone announced on X (formerly Twitter) that OKX DEX “encountered an issue.” According to the report, the problem began on Dec. 12, 2023, at approximately 10:23 pm UTC after the proxy admin owner upgraded the DEX proxy contract to a new implementation contract, leading to the theft of tokens.

Continue reading

DeFi market overview

Data from Cointelegraph Markets Pro and TradingView indicates that DeFi’s top 100 tokens by market capitalization experienced a positive week, with most trading in the green on the weekly charts. The total value locked in DeFi protocols remained above $60 billion.

Thank you for reading our summary of this week’s most significant DeFi developments. Join us next Friday for more stories, insights, and education regarding this rapidly evolving space.