The recent BTC downturn-related Ledger library attack adversely affected numerous smart contracts. Fortunately, protocols that took swift action prevented escalating losses. Ledger has announced that it will implement necessary measures to prevent such incidents in the future. They also touched upon some plans for the coming year.
Ledger Crypto Hack
Malware in the code library of Ledger, one of the largest hardware wallets, caused integrated popular protocols to become vulnerable to attacks. Thankfully, the loss was limited to approximately $600,000, and the Ledger team announced it would be compensated.
They also recently wrote the following;
“We are 100% focused on following up on last week’s hack, preventing such future incidents, and ensuring the ecosystem remains secure.
We are aware of the approximately $600,000 in assets stolen from users of EVM DApps who blindly signed transactions. Ledger commits to compensating the affected victims and, by June 2024, working with the DApp ecosystem to enable Clear Signing and discontinue Blind Signing with Ledger devices.
We will compensate the damages in every possible way, including gestures of goodwill, by the end of February. We are already in contact with many affected users and actively working on the details together.
We remind users that if you signed a transaction in the affected DApps on December 14, 2023, the best security practices recommend canceling authorized transactions to further reduce the impact of malicious code.
As of June 2024, we announce that users will no longer be able to Blind Sign with Ledger devices. Our commitment is to work with the community and DApp ecosystem to enable Clear Signing, allowing users to verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and promote Clear Signing among DApps.
Front-end attacks have occurred many times before and will continue to disturb our ecosystem. The only flawless countermeasure for such attacks is always to verify what you are approving on your device.
This is only possible with Clear Signing: you can see and verify exactly what you are signing on a secure screen. If the ecosystem continues to allow Blind Signing, users will remain at risk.
Please always be vigilant against ongoing phishing and scam incidents. We have only two real social media accounts, and all others are fake.
ANYONE asking for your 24-word Secret Recovery Phrase is a criminal.”
Social Media Bots
They touched on something everyone should constantly be aware of at the end of the statement. These bots, which latch onto the posts you make from your X (formerly known as Twitter) accounts, offer to help you. For example, you make a post saying, “How can I send Ethereum on MetaMask or Ledger,” then these bots start sending you automatic replies.
These accounts, directing to fake addresses, Telegram accounts, or phone numbers, end up convincing you by the end of the day that they are technical personnel of the relevant company and obtain your recovery words. And if you give someone your recovery words, you are also gifting them all the assets in the relevant wallet. It doesn’t matter if you are unaware of this because attackers approach you precisely to steal these assets. Therefore, the best solution is to block accounts that ask for your recovery words or direct you to fake websites immediately.
