A critical security flaw in the Ledger ConnectKit library, widely used by decentralized applications (dApps) for crypto wallet integration, has thrown the DeFi ecosystem into disarray. This vulnerability, potentially injected through a compromised content delivery network (CDN), allows malicious code to be inserted into dApp front-ends, posing a significant threat to user assets.

Dapps like SushiSwap, Kyber, RevokeCash, and Zapper are confirmed to be at risk, with Kyber and RevokeCash taking immediate action by disabling their front-ends. Reports suggest hackers replaced the library code with malicious software designed to drain user funds, with security firm Blockaid estimating losses of $150,000 in recent hours.

This incident, described as a “supply chain attack” on Ledger ConnectKit, highlights the vulnerabilities inherent in interconnected systems within the DeFi space. Sushi CTO Matthew Lilly identified the compromised CDN as the source of the attack, stating that “LedgerHQ/connect-kit loads JS [JavaScript] from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.”

While a potential patch has been developed by Ledger and is being pushed to replace the malicious file, dapps will need to adopt the update for complete security. In the meantime, experts urge users to exercise extreme caution and avoid interacting with any dApps until further notice.

Key takeaways:

– A critical security flaw in Ledger ConnectKit allows malicious code injection into dApp front-ends.

– Dapps like SushiSwap, Kyber, and others are vulnerable.

– Funds are at risk, with estimated losses exceeding $150,000.

– Ledger is pushing a patch, but dapps need to implement it.

– Users should avoid interacting with any dApps until further notice.

This incident underscores the importance of robust security measures and vigilance within the DeFi space. As the ecosystem evolves, prioritizing user safety and implementing secure software practices remains paramount.