Ledger Pledges Compensations, Abandons Blind Signing Post-Heist


In the wake of a security fissure that saw a heist of $600,000 from its users’ assets, the hardware wallet firm Ledger has issued a forthright response. The company has acknowledged the severity of the breach, shouldered the responsibility, and vowed to enhance its security landscape by flagging Blind Signing—a process criticized for displaying transactions in obscure code rather than plain text—as outdated. This measure aims for implementation by June of 2024, solidifying the company’s commitment to user safety.

For those ensnared by the tentacles of the ConnectKit attack, most notably those engaging in blind signing on the Ethereum Virtual Machine (EVM) with dApps, the implications were dire. Ledger’s response has not only been immediate but also reflective, recognizing the magnitude of the incident and expressing its dedication to the full compensation of the victims of this exploit. This reparative gesture extends beyond the reach of Ledger’s clientele; even non-Ledger users affected by the attack will be indemnified.

The helm of this restitution initiative is none other than Ledger’s CEO and Chairman, Pascal Gauthier, who is personally overseeing the efforts to address the individual cases of impacted users. The company has reached out to those affected, ensuring that recovery from this financial setback is prioritized and personalized.

Looking toward the future, Ledger has unequivocally dismissed Blind Signing from the repertoire of features on its devices. By June 2024, this practice will be obsolete, making way for “Clear Signing.” This forthcoming protocol reflects a conscious pivot towards enabling users to comprehensively review and verify transaction details on their devices across dApps before appending their digital signature—fostering a more secure transaction environment.

With the insights gathered post-attack, the company delineated how the assault maneuvered through the vulnerabilities within Ledger’s Connect Kit. It was a carefully orchestrated ploy involving malicious code that siphoned assets to the perpetrators’ wallets as users inadvertently authenticated the nefarious transactions.

Efficiently countering the assault, Ledger deployed a security update for the Connect Kit within 40 minutes upon discovery. Despite the swiftness of the response, the nature of content delivery networks and their inherent caching meant the fix was not instantaneously universal.

The incident underscores the broader challenge of ensuring robust user security within the dApp domain—a task that Ledger aims to champion by instituting a more stringent security regimen. This includes intensified access controls, comprehensive audits, stringent code signing practices, and an overall heightened monitoring and response system for the platform’s infrastructure.

Central to Ledger’s post-incident strategy is instructing users on the merits of Clear Signing, imparting wisdom on the perils that accompany transactions with obscured details, and positioning users to more adeptly discern and counteract potential front-end attacks or malicious injections in decentralized applications.

In conclusion, with Clear Signing, Ledger aspires to set a new industry standard where transparency and security interlace, offering users a bulwark against the vulnerabilities historically associated with crypto transactions.


Please enter your comment!
Please enter your name here