MetaMask stated on X platform that Ledger has resolved the current issue, but currently recommends that users wait for 24 hours before using the Ledger Connect suite to interact with dapps. After investigation, we have confirmed that MetaMask Portfolio and SDK users have never faced any risks. As a precautionary measure, we have temporarily disabled trading on the portfolio for updates.

The founder of SlowMist, Yu Xian, posted on social media regarding the Ledger vulnerability. 1. The poisoning problem of the Ledger module ledgerhq/connect-kit has been basically resolved, but the poisoned code may still be cached in the browser. If not sure, be sure to clear the browser cache (including the built-in browser cache in the wallet app); 2. Users must confirm the content of each unsigned transaction in the wallet multiple times; 3. The Ledger wallet itself is not affected; 4. The details of this supply chain attack are intriguing, and such hunters are not rare in this dark forest; 5. Tether acted in a timely manner and froze the USDT profits from phishing. In comparison, USDC continues to ignore the issue.

Several Ethereum-based decentralized applications (dapps), including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, were compromised due to a security breach at Ledger, a Paris-based crypto hardware wallet manufacturer. Ledger has fixed the malicious code and warned users to "Clear Sign" transactions to ensure they are interacting directly with the company's website and software. The extent of the damage and the amount of money lost is not yet known, but reports suggest that the exploit is widespread. The breach highlights the need for proper auditing and testing in the decentralized finance (DeFi) ecosystem, where financial software is frequently deployed without appropriate measures.

Hackers stole $484,000 by inserting malicious code into the Github library for Connect Kit, a widely-used piece of blockchain software maintained by crypto wallet firm Ledger. Several major DeFi protocols that use the library have been impacted, and users have been warned to avoid using dApps until the protocols are updated. Ledger has confirmed that an employee was targeted in a phishing attack, after which the attacker published a malicious version of the Ledger Connect Kit. To completely mitigate the risk, every protocol using Ledger's Connect Kit must manually update their version of the library.