KEY POINTS
- Around $600,000 in assets was stolen due to a recent security incident on Ledger's ConnectKit
- Ledger said it will reimburse affected users and plans to resolve it by February 2024
- Ledger asked uses who signed a transaction on affected DApps on Dec. 14 to revoke any authorized transactions
Crypto wallet maker Ledger reaffirmed the promise of its chairman and CEO that it will reimburse users who have lost their funds to a security breach on its ConnectKit and shared crucial policy updates, particularly about signing transactions.
Just a few days after the high-profile hack that significantly impacted the entire Ethereum Virtual Machine (EVM) ecosystem, Ledger acknowledged that around $600,000 in assets had been stolen from users via blind signing on the EVM decentralized apps (DApps).
The hardware crypto wallet maker also outlined its plan to reimburse all affected users and committed to resolving the issue by the end of February 2024. It also disclosed that it is currently in contact with users, "working through the specific with them."
"We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February, 2024. We are already in contact with many impacted users and are actively working through the specifics with them," Ledger said in a post on X.
"We remind users that if you signed a transaction on affected DApps Dec 14th, 2023, best security practices would recommend revoking any authorized transactions to further reduce impact from the malicious code," the firm added.
Ledger also revealed that it will discontinue the blind signing practice on devices, which it plans to see fully implemented by June 2024.
"We are announcing that by June 2024, users will no longer be able to Blind Sign with Ledger devices. Our commitment is to work with the community and DApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across DApps," it said.
Ledger advised users to always verify since it is the only 'foolproof countermeasure" to attacks like this recent one.
"The only foolproof countermeasure for this type of attack is to always verify what you consent to on your device," the wallet maker said, adding, "This is only possible with Clear Signing: meaning you can see and verify exactly what you sign on a secure display."
Last week, malicious actors targeted Ledger's connector library, which is designed to facilitate communication between physical wallets and multiple decentralized apps.
At present, Ledger said it is" 100% focused on following up to last week's security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe. "