Ledger Exploit: Understanding the security risks in DApp UIs

On December 14, Ledger identified an exploit using the Ledger Connect Kit – a kit used by multiple popular crypto applications. The exploit injected malicious code inside those applications, tricking their users into signing transactions that drain their wallets. In order to do this, the attacker phished a former employee to leverage their access to Ledger’s NPMJS. Unfortunately, a total of $600k was drained from user wallets that interacted with DApp UIs before the exploit was identified.

‍

For more details, see the full Incident Report on Ledger’s blog. 

‍

‍

We spoke with Ledger employees who asked to be kept anonymous. We were told the exploit was caused primarily by 1 Ledger employee, who has a notoriety for incompetence, but not malice.

Vulnerabilities in DApp UI’s 

‍

The Ledger vulnerability is just one exploit in DApp UIs; it’s not the first and it’s not the last. There is a very long list of security and operational risks in using protocol UIs.

‍

Most institutions still use the UI of protocols + WalletConnect for almost all their trading. Very, very few institutions (e.g. hedge funds, venture funds, etc.) are set up to effectively handle these kinds of situations.

‍

Another near ubiquitous vulnerability that comes with using UIs is approving a proxy smart contract to transfer (‘transferFrom’) all of the assets in your wallet. That approval remains even after the trade is finished, which means an upgrade days or years down the line can put all your funds at risk. For example, that's what happened here:

• BlockTower loses $1.5M from Dexible hack
• Multichain loses $11M in total from hacks

‍

How to protect your assets 

‍

We believe fund managers have a fiduciary duty to be aware of these kinds of exploits and have a solution, because solutions do exist. There are 3 core tools that are essential to get right:

• Transaction security needs to be enforced by a simulation.
• The link between classifying a transaction as unsafe and signing it needs to be enforced by a computer, not the trader’s eyeballs.
• Exposure to venues needs to be safe by default, that means cleaning up approvals after the trade is done, rigorous pre-trade analysis, and automatically enforced exit scenarios.

About DeFi Armor 

‍

Humans are not good at reading EVM level byte-code, computers are. We built https://www.eulith.com/product-pages/defi-armor for this purpose, so if you signed this exploit transaction, you would have been protected.

‍

We have robust execution infrastructure that does not depend on protocol UIs and has built in security for manual trading that protects you from attacks like this.