Sushi’s DeFi protocol has been impacted by a severe security vulnerability, prompting an urgent warning from its Chief Technology Officer, Matthew Lilley. This threat originates from a front-end exploit linked to a compromised Web3 connector.
The vulnerability, initially disclosed via X, signals a significant industry-wide risk related to a commonly used Web3 connector. This attack vector allows for the injection of malicious code, potentially threatening numerous decentralized applications (dApps). As a precautionary measure, Lilley urged users to refrain from interacting with any dApp until the situation is resolved.
🚨 Urgent Security Alert 🚨
We've identified a critical issue the ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps.
🔴 If you have the Sushi page open and see an unexpected 'Connect Wallet' pop-up, DO NOT… https://t.co/alGVbnPfHW
— Sushi.com (@SushiSwap) December 14, 2023
Unlike attacks on the protocol’s hot wallets, this exploit operates by manipulating the user interface (UI) of websites or applications. Attackers can redirect functions through this method to divert funds to their accounts. The severity of this vulnerability is multiplied by its capacity to impact various dApps, transcending the boundaries of the Sushi platform.
ANY dApp which makes use of LedgerHQ/connect-kit is vulnerable. Don't use ANY dApps until further notice. This isn't a single isolated attack, it's a large-scale attack on multiple dApps. https://t.co/a3brXNQSx9
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
According to a User, the Exploit Originates from Ledger’s GitHub
Further investigations led to the identification of the GitHub page of the hardware wallet provider, Ledger, as the source of the suspicious code. A Sushi user revealed that Ledger’s library was compromised and replaced with a mechanism to drain tokens. This incident was not confined to Sushi alone, as other DeFi platforms like Zapper and RevokeCash also reported similar issues.
Lilley issued an additional warning, noting that any dApp using LedgerHQ/Connect-Kit is at risk. Emphasizing that this is a large-scale attack affecting multiple dApps.
This event highlights the fragility of DeFi platforms and once again underscores the immediate need to implement stronger security measures. Although the full impact of this vulnerability has not been fully assessed. Users and developers are urged to increase vigilance and implement comprehensive security protocols to protect their assets and platforms.
It is expected that the Sushi team and other affected platforms will conduct thorough investigations to identify the origin of the vulnerability and take measures to prevent future incidents.
