Hey wondering if Cardano dapps are affected by this . Wondering if ledger users connecting to Cardano dapps would get affected ?
1 Like
What do you mean “by this”? Did you want to include a link there?
2 Likes
Just did, added a screenshot. Thanks
1 Like
Here’s some more info: Multiple DApps using the Ledger connector library compromised
Seems the Connector library served through their CDN had malicious code injected.
4 Likes
In this specific case not.
This connect-kit library is only usable for Ethereum, Polygon, Solana, and BSC: https://developers.ledger.com/docs/connectivity/connect-kit
Cardano dApps use totally different methods to connect to wallet apps (or directly to the Ledger).
Moreover, it has been fixed in the mean time.
4 Likes
This upcoming Catalyst proposal has been motivated mainly by the premise that hardware wallets cannot be a comprehensive guarantee of security:
2 Likes
The hack that happened has nothing to do with Ledger hardware wallet security, moreover all users of dapps that used that affected library were affected, whether they used a Ledger or not. It just happened that the hack happened in an npm lib of Ledger, but it could’ve happened in another lib too…
3 Likes
This is why I used the word “comprehensive” … i.e. including the software produced by the hardware wallet manufacturers (as per the vulnerability identified above) and their means of interacting with users / providing support (see 2020 incident, Ledger users threaten legal action after hacker dumps personal data).
From a user’s perspective, a hardware wallet is a strongly branded security model which they are led, and lead themselves, to believe is invulnerable. However those vulnerabilities in the overall system may be mitigated as you say, their presence itself proves that the commercial hardware wallet overall platforms are imperfect and therefore incomplete without alternatives.
4 Likes
Thanks for your insights.
1 Like