Crypto hardware wallet provider Ledger will enact changes to transaction signing processes after a Dec. 14 exploit in the Ledger Connect Kit software library. A week after an exploit on its Connect Kit library led to losses of over $600k, Ledger has announced its decision to disable blind signing for all Ethereum dApps.
We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.
— Ledger (@Ledger) December 20, 2023
We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.
Ledger…
By signing a transaction blindly, an individual certifies its contents without having complete knowledge of them. These particulars are presented as unprocessed smart contract signing data, which renders them unintelligible to the human eye. Ledger states that by June 2024, blind signature will no longer be supported for Ethereum decentralized applications (dApps) on its hardware wallets. Victims of the breach will also be reimbursed, as promised by the hardware wallet provider. Clear Signing is being developed by Ledger in collaboration with its ecosystem and community partners, the company asserts.
Front-end attacks have happened many times before and will continue to plague our ecosystem. The only foolproof countermeasure for this type of attack is to always verify what you consent to on your device.
Ledger stated
Although the purpose of blind signing is to improve privacy and security through the provision of comprehensive information, if the user is not aware of the precise specifications of the document they are signing, it can present a substantial risk. By using blind signing, malicious actors could potentially deceive users into approving unauthorized or malevolent transactions unknowingly, thereby endangering their assets.
Conversely, clear signing enables users to examine the comprehensive particulars of a transaction in a format that is comprehensible to humans prior to conducting authentication and granting consent. This approach facilitates a level of openness and aids users in verifying that they are authorizing authentic transactions.
Our commitment is to work with the community and DApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across DApps.
Ledger added
As previously reported by The Block, a software library on which Ledger depended was compromised last week due to a critical vulnerability that affected multiple decentralized applications. Perhaps as a result of a breach in the content delivery network of the software library, the exploiter gained access to the front-ends of the applications by injecting malicious code. This code enabled the theft of assets. After identifying the malicious code, Ledger removed it; however, third-party organizations estimated that funds worth approximately $500,000 had been compromised at the time.
