304 North Cardinal St.
Dorchester Center, MA 02124
In a significant blow to the decentralized finance (DeFi) sector, the Sushi DeFi protocol has fallen victim to its second exploit this year.
The protocol’s Chief Technology Officer (CTO), Matthew Lilley, has issued a stark warning to users, advising them to refrain from using any decentralized applications (dApps) until further notice.
The latest breach has prompted concerns about the security and integrity of the Sushi DeFi protocol and other associated dApps. According to Lilley, a widely-used web3 connector has been compromised, allowing malicious code injection that affects numerous dApps.
Specifically, dApps that use the LedgerHQ/connect-kit, a dApp that allows users to connect other dApps to their Ledger hardware wallets, are considered vulnerable. Notably, Lilley’s warning underscores the severity of the situation, emphasizing that this is not an isolated attack, but a large-scale assault targeting multiple dApps.
Further investigation by security experts has revealed a potential supply chain attack on the ledger connect kit. The attacker allegedly successfully injected a wallet-draining payload into the popular Node Package Manager (NPM), impacting several prominent dApps, including Hey and others.
Additionally, it has been discovered that the Zapper and Sushi frontends have been hijacked, exacerbating the scope of the breach.
Slowmist, a module of Ledger, further confirmed that their system was hijacked and tampered with during the supply chain attack. This compromised the integrity of the ledgerhq/connect-kit library, which is relied upon by many dApps.
As a result, users are urged to exercise caution when conducting any dApp-related operations and to scrutinize requests for wallet information that may appear unexpected.
In an official statement, Ledger has confirmed the identification and removal of a malicious version of the Ledger Connect Kit. The company assures users that their Ledger devices and Ledger Live remain uncompromised.
The company stated that a genuine version of the Connect Kit is currently being pushed to replace the malicious file. Ledger advises users to refrain from interacting with any dApps at the moment for their safety.
The company pledges to provide updates as the situation develops, ensuring users stay informed about the ongoing efforts to address the security breach.
In light of recent events affecting the Sushi DeFi protocol, its native token, SUSHI, has experienced a decline of over 4% within the past hour, reaching a low of $1.590.
Before the exploit, SUSHI had been exhibiting a notable uptrend structure on its 1-day chart, marked by higher highs and higher lows. However, with the loss of its crucial support level at $1.961, there is a potential invalidation of the previously established uptrend.
The uncertainty surrounding the protocol’s native token raises the possibility of further downside in SUSHI’s price action. If a sustained downtrend continues, the next significant support level for SUSHI is located at $1.084.
Featured image from Shutterstock, chart from TradingView.com