Ledger dapp issue

Hey wondering if Cardano dapps are affected by this . Wondering if ledger users connecting to Cardano dapps would get affected ?

1 Like

What do you mean “by this”? Did you want to include a link there?

2 Likes

Just did, added a screenshot. Thanks

1 Like

Here’s some more info: Multiple DApps using the Ledger connector library compromised

Seems the Connector library served through their CDN had malicious code injected.

4 Likes

In this specific case not.

This connect-kit library is only usable for Ethereum, Polygon, Solana, and BSC: https://developers.ledger.com/docs/connectivity/connect-kit

Cardano dApps use totally different methods to connect to wallet apps (or directly to the Ledger).

Moreover, it has been fixed in the mean time.

4 Likes

This upcoming Catalyst proposal has been motivated mainly by the premise that hardware wallets cannot be a comprehensive guarantee of security:

2 Likes

The hack that happened has nothing to do with Ledger hardware wallet security, moreover all users of dapps that used that affected library were affected, whether they used a Ledger or not. It just happened that the hack happened in an npm lib of Ledger, but it could’ve happened in another lib too…

3 Likes

This is why I used the word “comprehensive” … i.e. including the software produced by the hardware wallet manufacturers (as per the vulnerability identified above) and their means of interacting with users / providing support (see 2020 incident, Ledger users threaten legal action after hacker dumps personal data).

From a user’s perspective, a hardware wallet is a strongly branded security model which they are led, and lead themselves, to believe is invulnerable. However those vulnerabilities in the overall system may be mitigated as you say, their presence itself proves that the commercial hardware wallet overall platforms are imperfect and therefore incomplete without alternatives.

4 Likes

Thanks for your insights.

1 Like