After being attacked last week on the 14th, the well-known cryptocurrency cold wallet Ledger announced that it will fully cancel blind signing on Ledger devices and replace it with clear signing by the end of June next year to enhance security.
Table of Contents:
Reasons and Timeline of Ledger’s Hacking Incident
Ledger: Discontinuing Blind Signing by the End of June Next Year
What is Blind Signing?
Risks of Blind Signing
Ledger, a popular cryptocurrency cold wallet, experienced an attack on December 14th when it was implanted with malicious code in the Connect Kit, resulting in multiple projects in the Web3 sector being affected. Ledger temporarily requested all users to refrain from interacting with any Dapps (decentralized applications).
A week later, Ledger’s official website published an article yesterday, detailing the process and reasons for the attack, and announced that blind signing on Ledger devices will be temporarily suspended by the end of June 2024, to be replaced by clear signing.
Reasons and Timeline of Ledger’s Hacking Incident
According to an official blog post by Ledger, hackers exploited the Ledger Connect Kit vulnerability on December 14th and injected malicious code into Dapps that interacted with it, deceiving EVM Dapp users into signing transactions and stealing wallet assets. The specific timeline is as follows:
December 14th, morning: A former Ledger employee fell victim to a phishing attack, resulting in the theft of their access credentials to NPMJS (a manager for sharing JavaScript code between applications).
December 14th, 9:49/10:44/11:37 am: Hackers released versions 1.1.5, 1.1.6, and 1.1.7 of the Ledger Connect Kit with malicious code on NPMJS, and redirected user assets to hacker wallets using WalletConnect.
December 14th, 1:45 pm: Major related projects and Ledger discovered the attack.
December 14th, 2:18 pm: Ledger updated the Ledger Connect Kit version 40 minutes after receiving the attack alert, and WalletConnect disabled the relevant channels.
December 14th, 2:55 pm: Through mediation, Tether, the issuer of the stablecoin USDT, froze the funds stolen by the hacker.
Ledger: Discontinuing Blind Signing by the End of June Next Year
Ledger officially stated that the total amount of damages currently incurred is approximately 600,000 USD, all of which were stolen by hackers through blind signing from EVM DApps. The company promises to assist users in recovering the stolen funds by the end of February 2024.
More importantly, Ledger also announced that by the end of June 2024, blind signing will be completely disabled on Ledger devices and replaced with clear signing to ensure that users can verify all transactions on the Ledger device before signing.
What is Blind Signing?
According to information from Wikipedia, “blind signing” is a digital signature method in cryptography where the content of the information is invisible to the signer (blind) before signing. Blind signing has the following characteristics:
The signer cannot see the content of the information they are signing.
The signature information is untraceable, meaning that the signer cannot know when they signed it once the signature information is published.
Risks of Blind Signing
According to official information from Ledger, due to the rapid development of NFTs, DeFi, and DApps, the interaction between users and smart contracts has become more complex. When users engage in blind signing without understanding the complete signature content and authorize smart contracts, hackers have an opportunity to steal user assets.
Related reports:
Be cautious! “Fake Ledger APP” appears on Microsoft Store, already scammed over 768,000 USD
Ledger cold wallet succumbs to the crypto winter, announces 12% layoffs; FTX closure triggers sales boom
Ledger admits mistakes: Delay in “Recover” private key backup, open-source cold wallet code
Tags:
Blind Signing
Clear Signing
Ledger
Security
Blind Signing
Signature
Wallet
Hacker Attack