Ledger Responds to Connect Kit Exploit With Reimbursement Plan, Security Overhaul
In a decisive move following a significant security incident, Ledger, a well known crypto hardware wallet manufacturer and security firm, announced a response plan. Approximately $600,000 in assets were stolen from users due to an exploit involving blind signing on EVM decentralized applications (dapps). Ledger detailed on Dec. 20, 2023, that it has vowed to fully reimburse all affected users, including non-customers, a commitment underscored by the company’s CEO, Pascal Gauthier.
Crypto Security Firm Ledger Vows Full Payback Post $600K Hack
The incident, detected on December 14, 2023, involved an exploit of the Ledger Connect Kit, which led to the injection of malicious code into various dapps. This code deceived users into signing transactions that drained their wallets. Ledger’s detection and the crypto community’s response led to several alerts, though the attack resulted in the loss of around $600k in user assets.
The company said on the social media platform X that it is not only addressing the immediate repercussions of the attack but also taking steps to prevent future incidents. By June 2024, Ledger devices will no longer support blind signing, shifting to a more secure method known as Clear Signing. This method will enable users to verify all transaction details on their Ledger devices before signing, enhancing security significantly.
As part of its remedial actions, Ledger detailed that it has been meticulously reviewing and auditing all their access controls. They are reinforcing policies around code review, deployment, distribution, and access control. This includes integrating external tools into their maintenance and offboarding checks and conducting regular internal audits to ensure effective implementation.
Additionally, Ledger further explained that it is intensifying its focus on security training for employees. The company already conducts security training sessions, including phishing training, and plans to reinforce this program in early 2024. The X announcement also said that Ledger is also prioritizing regular third-party security assessments, with a specific audit focused on access control, code promotion, and distribution slated for early next year.
The company announced on X that it created an active outreach for impacted users, working through specifics with them to ensure full reimbursement of their stolen crypto assets. This gesture of reimbursement is expected to be completed by the end of February 2024. Lastly, the company has urged dapp developers to support the Clear Signing security feature, highlighting the need for collaboration across the ecosystem to enhance user protection.
What do you think about Ledger addressing the recent exploit and reimbursing victims? Share your thoughts and opinions about this subject in the comments section below.