TLDR;
- On December 14th, 2023, Ledger experienced an exploit on Ledger Connect Kit, a JavaScript library to connect websites to wallets.
- This exploit effectively ran for less than 2 hours thanks to the quick actions of the community.
- NNS neurons controlled by a Ledger hardware wallet (HW), liquid ICP controlled by Ledger HW, or liquid ICP held in the Ledger Live app were not affected at any point during these two hours or after.
- Why? None of the code under the DFINITY GitHub account uses the compromised package (and never used it).
Ledger Connect Kit Exploit
On December 14th, 2023, Ledger experienced an exploit on Ledger Connect Kit, a JavaScript library to connect websites to wallets. This exploit was the result of a former employee falling victim to a phishing attack, which allowed a bad actor to upload a malicious file to Ledger’s NPM (a package manager for JavaScript code shared between apps). Ledger was quick to react, and deactivate the malicious code within 40 minutes of discovery.
People affected by this exploit were asked to perform blind signing. Blind signing is not used in any of the frontend applications maintained by DFINITY. It is recommended that you do not sign any transaction you do not fully trust!
Read the full letter addressing the incident from Ledger’s CEO, Pascal Gauthier here.
Neurons in the NNS
On the Internet Computer, every ICP account ID is controlled by a principal, including neurons in the NNS. Principals can come from Internet Identity or derived from a public key, which is the case for instances where the Ledger device controls the principal.
When you create a neuron that is controlled by a Ledger hardware wallet through the NNS dapp, the Ledger device creates a private/public key pair, where the private key is only stored in your Ledger device. Only someone with physical access to this Ledger device can sign transactions, or someone who knows your seed phrase (or recovery phase). It is recommended that you do not share your seed phrase with anyone you do not completely trust!
When you perform actions on a Ledger-controlled neuron such as increasing dissolve delay, or start dissolving, you will be asked to use your Ledger device to sign transactions (messages) for each of these actions. These messages always clearly state what you are signing. You can verify the neuron you are interacting with, by checking the neuron ID on the NNS dapp and comparing it to the ID seen on the Ledger device.
Conclusion
While this exploit didn’t affect the ICP community, we strongly encourage you to follow good security hygiene. We recommend that you:
- Do not share your seed phrase with someone you don’t fully trust
- Do not upload your seed phrase anywhere, where it may become compromised
- Do not sign transactions you don’t recognise