Ledger Commits to Full Compensation for $600K ConnectKit Exploit Victims

By: Eva Baxter

Following a recent security exploit that compromised its ConnectKit library, hardware wallet provider Ledger has committed to reimbursing affected users fully for the approximately $600,000 loss in digital assets. The security breach, mainly impacting Ethereum Virtual Machine (EVM) dApp users, resulted from a vulnerability that enabled blind-signed transactions.

Reports suggest that attackers hacked into Ledger's ConnectKit library, replacing the genuine version with a malicious file that redirected funds to a hacker-controlled wallet. Prominent DeFi projects, such as SushiSwap, were impacted. In response, Ledger has pushed an immediate update to rectify the situation and pledged a continued focus on improving security measures.

As part of this commitment, Ledger has announced plans to phase out blind signing on its device by June 2024. In its place, Clear Signing will be introduced – a process allowing users to verify all transaction details before approving them. This new precautionary measure aims to prevent similar front-end attacks in the future.

According to Ledger, Clear Signing will set a new standard of user protection. It will help users verify exactly what they consent to on their device, a feature only possible with a secure display. Ledger also plans to intensify efforts to raise awareness about the risks associated with blind signing transactions and the benefits offered by Clear Signing.