Basic Crypto with the Beasts: What to do during an exploit

Oddly enough, I was writing this before the announced Ledger exploit happened this morning, so everything that occurred was more fuel for the fire — motivation. We know that Ledger’s Connect Kit was compromised, essentially a helpful tool that allows dApps to connect across web3. Some affected apps included Ledger, Sushi Swap, and Revoke.cash, which is unfortunate.

But many of you are probably wondering what this means and what you should do during an exploit like this if it ever happens again. Especially since chances are, it likely will. Let’s take a closer look.

Basic Crypto with the Beasts: What should you do during an exploit or security event?

We eventually learned that today’s exploit was not retroactive. That means no wallets were exposed because of prior transactions. You won’t have your wallet drained because of something you did hours before the exploit went live.

However, anything you do while the affected apps are compromised could also unwittingly give access to your accounts or wallets. For example, suppose you missed the security alerts and gave permission to Revoke.cash to access your wallet. Things could end badly, and we’ll review why briefly.

Your best defense in this case is to do nothing. That seems counterintuitive, but there’s a reason for it.

⚠️⚠️⚠️⚠️ Update on the Ledger connect-kit exploit:

We've removed the exploited dependency from https://t.co/MkINKOiX5N and re-opened access to the website again.

While many websites have fixed the issue, we still recommend NOT USING ANY CRYPTO WEBSITES for the rest of the day.…
— Revoke.cash (@RevokeCash) December 14, 2023

When the news broke, the community didn’t know how many dApps or services were compromised. It was a snowball effect because Ledger’s Connect Kit interacts with many others in web3. That’s not always the case, but it’s scary nonetheless. It also shows how the negligence or mistakes of one particular service, group, or individual can affect so many others. That’s why community is so important, and it’s incredible that web3 banded together to ensure everyone knew what was happening fast. Sure, there are a lot of bad actors in the space, but this is perfect evidence that there are some really good people out there, too.

Getting back on track, because we weren’t sure how many dApps were affected, it was best not to interact with any. It might seem like a knee-jerk reaction, but it ensures your assets and funds stay safe, so is it really?

How can you identify an exploit?

Unless you’re an experienced developer, you can’t tell the difference between a genuine or compromised dApp. It’s like phishing. There are emails and scam sites with lousy grammar and blatantly dangerous, but with the really good ones, it’s hard to tell the difference. The code behind the scenes isn’t readable to the average person. So, you only know what those apps do with their contract calls if you know what you’re looking at.

What’s particularly insidious about this exploit is that it seemed genuine and came from an official source, Ledger’s Connect Kit.

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and…
— Ledger (@Ledger) December 14, 2023

Then, the snowball effect brought down several unrelated services, like Revoke.cash, which is a handy tool otherwise. Don’t forget you can also use Etherscan — or the respective tool like Polygonscan — to revoke permissions and token approvals.

If you aren’t a developer or don’t understand what happened, here’s the gist:

Someone nefarious slipped compromised code into the Ledger Connect Kit.
Because it’s common, it affected many other dApps and services.
If you linked your wallet through the service or apps using the compromised version, it would drain your assets and NFTs.
It can do this because you give it permission or authorization when you connect, like any other smart contract.

Luckily, the community acted fast and shared the discovery, saving many from the repercussions.

Besides doing nothing, what else can you do?

Doing nothing is great, but you can’t live your life that way. Here are some things to keep in mind during your web3 travels:

Never interact with dApps or websites you don’t know.
Consider using a backup or burner wallet for minting, trading, or new dApps.
Spread your assets across multiple wallets.
Don’t share access to wallets with others.
Never store your recovery or seed phrase online or in a digital format.
Sign up for security alerts on X from people you can trust, and check in daily.
Surround yourself with a trustworthy community and look out for one another.
If you see something, say something.

Together, we can stop this shit from ruining the space, as corny as that sounds.

3 responses to “Basic Crypto with the Beasts: What to do during an exploit”

Basic Crypto with Beasts: Disconnect sites, revoke token approvals

December 28, 2023

[…] can protect yourself from security events like the recent Ledger exploit, for example, by revoking […]
Basic Crypto with the Beasts: What are junk NFTs?

January 12, 2024

[…] now, you probably know that compromised web3 contracts exist, some even at launch, by design. When you authorize them to interact with your wallet, they can […]
Basic Crypto with the Beasts: Alternative ways to protect your wallet

March 17, 2024

[…] a recent spat of security events, and attacks hitting closer to home — one of our own devs had their wallet compromised […]