Matthew Lilley, CTO of decentralized exchange SushiSwap, made a post warning investors.
At this point, SUSHI CTO stated that investors should not interact with any dApp until further notice and announced that the platform was exposed to a security vulnerability caused by bad software.
SUSHI CTO Lilley also added that the suspicious code originated from the GitHub page of hardware wallet provider Ledger and said:
“Do not interact with ANY dApp until further notice. A widely used web3 connector appears to have been compromised, allowing injection of malicious code affecting a large number of dApps.”
Stating that this was not a single isolated attack, but a large-scale attack against multiple dApps, CTO said that the library of hardware wallet provider Ledger was compromised.
Making a statement on the subject, X user Squanch made the following statement:
Ledger's code was changed 2 hours ago with the code that automatically transfers your funds to another address when you log in with Ledger. In other words, those who connected to a wallet via Ledger in the last 2 hours are hacked.
Squanch later updated the statement, stating that the incident affected many more people than those connected to the wallet in just 2 hours, and stated that the situation was even worse.
On the other hand, Curve Finance made a statement regarding the issue and used the following statements:
Do not select Ledger at this time when interacting with the Curve website! Ledger support on many dApps now downloads malicious code
It is reported that there are problems on all platforms using Ledger except SushiSwap. Some DeFi platforms have announced that they have stopped accessing their websites until the problem is detected.
It seems that the entire market, especially DeFi altcoins, experienced a decline after this news.
Update:
The following statement came from Ledger regarding the issue:
We detected and removed a malicious version of Ledger Connect Kit. An original version is currently being released to replace the malicious file.
Do not interact with any dApps for now.
We will keep you informed as the situation develops.
Your Ledger device and Ledger Live have not been compromised.
*This is not investment advice.