Ledger, a hardware wallet manufacturer, has announced plans to disable blind signing for Ethereum Virtual Machine (EVM) decentralized applications (DApps) by June 2024.

The decision comes in response to an exploit where a wallet drainer was added to a library utilized by numerous DApps to connect to Ledger devices.

Ledger Announces Plan to Compensate Victims

In a tweet, Ledger revealed that approximately $600,000 in crypto assets were stolen during the recent exploit. In response to the security breach, the company announced its commitment to compensating affected victims.

It declared that it would discontinue the practice of Blind signing with Ledger devices by June 2024.

We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.

We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.

Ledger…

— Ledger (@Ledger) December 20, 2023

Blind signing involves displaying raw smart contract signing data, readable by computers but not by humans. The company’s decision to phase out blind signing is a step toward establishing a new standard to enhance user protection and promote clear signing across decentralized applications.

Ledger urged DApp developers to support clear signing and emphasized its dedication to preventing such incidents in the future, ensuring the ecosystem’s security.

According to Ledger, the stolen assets were taken from users blind signing on EVM DApps.

Ledger Exploit Drains Fund

In the recent exploit last week, developers on Twitter identified a malicious version of the Ledger Connect Kit, a library facilitating the connection between Ledger devices and DApps.

According to Web3 security firm BlockAid, the attacker injected a wallet-draining payload into the Ledger Connect Kit’s NPM package, allowing them to drain funds from users who signed on DApps like Sushi.com and Hey.xyz.

MetaMask, a software wallet developer, cautioned users to “stop using DApps” following news of the attack. In a subsequent statement, Ledger confirmed that the attack occurred due to a former employee falling victim to a phishing attack.

The attacker accessed the former employee’s NPMJS account, allowing them to push a malicious version of the Ledger Connect Kit. This compromised Connect Kit rerouted user funds from any wallet connecting to a DApp using it to the hacker’s wallet.

Ledger responded swiftly, deploying a fix within 40 minutes of its security teams alerting it. Meanwhile, a new version of the Connect Kit (1.1.8) has been released. The exploit did not compromise Ledger devices and the Ledger Live app.

It’s worth noting that Ledger has faced criticism over its security. In 2020, a Ledger customer email database was hacked, exposing over a million user emails. Earlier this year, Ledger’s voluntary ID-based Recover service also received criticism from users, with some calling it a “backdoor.”