Jameson Lopp, co-founder and CTO at Casa, has shared key insights after the widely reported Ledger hack / security breach that appears to be impacting a large number of DeFi platforms and dApps, with some unconfirmed reports indicating major losses of crypto funds.
Lopp, who is focused on building tools to empower individual sovereignty, notes in a detailed blog post that supply chain attacks are “one of the most potent security threats for owners of bitcoin and other digital assets to consider.”
As reported by Ledger and other industry participants, there was a massive security event that impacted hundreds of cryptocurrency-based apps.
Lopp, who has been building bitcoin wallets since 2015, says that Casa was not affected.
However, they want to provide guidance when uncertainty arises with respect “to securing assets in self-custody.”
In a recent update, Casa explains what happened, why it matters, and how you may be able to keep your assets safe.
As explained in the blog post, a supply chain attack takes place when a malicious entity “inserts themselves in between you and the trusted source providing the functionality you’re using.”
The update clarified that supply chain attacks “need not be physical in nature (against hardware) — they can also attack the actual delivery of code that gets executed on your device.”
As mentioned in the update, the vulnerability exposed recently pertains to the Ledger Connect Kit, a software library commonly used in other apps.
Libraries are an everyday tool “for software development and allow engineers to build and ship apps faster.”
As stated in the update, the downside of libraries is “when they contain a vulnerability, it can be exploited downstream in other apps that use the library.”
This is one of many reasons “why apps require updates from time to time.”
The blog post pointed out that for a few hours yesterday, anyone who used an app that “loaded the Ledger Connect Kit would have had malicious code loaded into the app.”
Reports indicate the malicious code creates a fake “Ledger” entry on the pop-up “where you select your wallet.”
The blog post further noted that it may also “make signature request pop-ups in a browser wallet to approve sending funds to the attacker account.” To be clear, you can “be at risk even if you aren’t using a Ledger device.”
This recent supply chain attack “injected a wallet drainer into Ledger’s ‘wallet connect’ library that gets loaded by many web3 / DeFi apps.”
Lopp explained that a wallet drainer is basically “a smart contract which, if given approval to control your wallet, will steal all of the funds.”
The key point being “that it must be given approval by you via a cryptographically signed message.”
As such, wallet drainer attackers will “try to be as sneaky as possible to trick you into approving that their contract can access your funds.”
As noted in the update, Casa members who are using their Pay wallet or multi-key vaults for their BTC, ETH, and stablecoins are “not affected by this supply chain attack.”
Because Casa vaults require multiple keys and signatures to send transactions, a single signature of the malicious wallet drainer contract “would not be sufficient to take control of your funds.”
At worst, it would be “able to drain the funds from whatever single-signature account you have tied to your daily driver DeFi wallet.”
The blog post also mentioned that Casa’s vaults “are designed to withstand supply chain attacks.”
In the context of Casa’s architecture, which distributes multiple keys across different hardware devices, this diversity “provides robustness against such attacks.”
Even if one key’s hardware or software is compromised, the rest remain “secure.” The likelihood of an attacker executing multiple simultaneous supply chain attacks is “essentially zero.”
Although Ledger has fixed the underlying code issue, it’s still possible you “may accidentally load some cached malicious code for the next day or so.”
The update requested users to make sure they don’t have the malicious library cached, go to https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit and ensure the version is 1.1.8. If it’s not, clear your browser cache.
As stated in the update:
“Today’s attack was a fascinating example of how, despite the widely distributed and decentralized nature of the crypto ecosystem in many regards, there are still single points of failure. It’s astounding that a single compromised (former) employee account at one company can result in countless users’ funds being put at risk due to the interconnected nature of widely adopted software libraries. If you have substantial savings, they should be protected by more than one key. The best time to protect your assets is right now, before the next attack.”
The firm suggested that if you are wondering if your assets are safe on a hot wallet, custodian, or exchange, now’s your chance to be “proactive.” With Casa, you can safely take self-custody of their digital assets with your multi-key vault “for greater protection from supply chain attacks and many other threats.”
For more details, check here.