After being attacked last week on the 14th, well-known cryptocurrency cold wallet Ledger announced that it will fully disable blind signing on Ledger devices by the end of June next year and replace it with clear signing to enhance security.
Table of Contents:
Reasons and Timeline of Ledger’s Hack
Ledger: Disabling Blind Signing by the End of June Next Year
What is Blind Signing?
Risks of Blind Signing
Ledger, a cryptocurrency cold wallet, encountered an attack on December 14th when malicious code was implanted in the Connect Kit, resulting in multiple projects in the Web3 sector being affected. Ledger temporarily advised all users not to interact with any decentralized applications (Dapps).
A week later, Ledger’s official website released an article yesterday (20th) that detailed the process and reasons behind the attack, and announced that blind signing would be temporarily suspended on Ledger devices by the end of June 2024, to be replaced by clear signing.
Reasons and Timeline of Ledger’s Hack
According to an official blog post by Ledger, hackers exploited a vulnerability in the Ledger Connect Kit on December 14th and injected malicious code into Dapps that interacted with it, deceiving EVM Dapp users into signing transactions and stealing wallet assets. The timeline is as follows:
December 14th, morning: A former Ledger employee was subjected to a phishing attack, resulting in the theft of their access rights to NPMJS (a manager for sharing JavaScript code between applications).
December 14th, 9:49/10:44/11:37 AM: Hackers published versions 1.1.5, 1.1.6, and 1.1.7 of the Ledger Connect Kit on NPMJS, carrying malicious code, and redirected user assets to hacker wallets using WalletConnect.
December 14th, 1:45 PM: Major related projects and Ledger discovered the attack.
December 14th, 2:18 PM: Ledger updated the Ledger Connect Kit version 40 minutes after receiving the attack alert, and WalletConnect disabled the relevant channels.
December 14th, 2:55 PM: Through mediation, Tether, the issuer of the stablecoin USDT, froze the stolen funds.
Ledger: Disabling Blind Signing by the End of June Next Year
Ledger officially stated that the total amount of damage suffered amounts to approximately $600,000, all of which were stolen by hackers from blind signing users on EVM DApps. Ledger has promised to assist users in recovering the stolen funds by the end of February 2024.
More importantly, Ledger also announced that by the end of June 2024, blind signing will be completely disabled on Ledger devices and replaced with clear signing to ensure that users can verify all transactions on Ledger devices before signing.
What is Blind Signing?
According to information from Wikipedia, “blind signing” is a digital signature method in cryptography where the content of the information is invisible to the signer before the signature is applied (blind). Blind signing has the following characteristics:
The signer cannot see the content of the information being signed.
The signature information is untraceable, meaning that when the signature information is disclosed, the signer cannot know when they signed it.
Risks of Blind Signing
According to information from Ledger, due to the rapid development of NFTs, DeFi, and DApps, the interaction between users and smart contracts has become more complex. When users engage in blind signing without understanding the complete content of the signature, they authorize smart contracts, giving hackers an opportunity to steal user assets.
Related Reports:
Beware! “Fake Ledger APP” on Microsoft Store Scams Over $768,000
Ledger Cold Wallet Succumbs to Cryptocurrency Winter, Announces 12% Layoffs; FTX Shutdown Triggered Sales Boom
Ledger Admits Mistake: Delay in Launching Private Key Backup “Recover,” Open Source Cold Wallet Code
Tags:
Blind Signing
Clear Signing
Ledger
Security
Blind Signatures
Signatures
Wallets
Hacker Attacks