UPDATE: Ledger Makes Promise To Customers Following Hack

Ledger has made two major announcements following the high-profile hack that left $600,000 drained from the wallets of users.

The hardware wallet manufacturer explained that it is going to disable ‘blind signing’ with Ledger devices by June 2024, neutralizing the Ledger Kit Connect vulnerability that was responsible for the security breach.

Additionally, Ledger has announced that it will make affected customers whole through reimbursing their stolen funds. Ledger announced on Wednesday:

“We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.

We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.

Ledger will make sure victims affected will be made whole, and are committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024. Read more:

We affirm our CEO & Chairman Pascal Gauthier’s promise to make sure victims who had their assets stolen on Dec 14th, 2023 by the attacker together with angel drainer are made whole, including users who are not Ledger customers.

We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February, 2024. We are already in contact with many impacted users and are actively working through the specifics with them.

We remind users that if you signed a transaction on affected DApps Dec 14th, 2023, best security practices would recommend revoking any authorized transactions to further reduce impact from the malicious code.

We are announcing that by June 2024, users will no longer be able to Blind Sign with Ledger devices. Our commitment is to work with the community and DApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across DApps.

Front-end attacks have happened many times before and will continue to plague our ecosystem. The only foolproof countermeasure for this type of attack is to always verify what you consent to on your device.

This is only possible with Clear Signing: meaning you can see and verify exactly what you sign on a secure display.

If the ecosystem continues to allow Blind Signing, users remain at risk.

We ask DApp developers to support the Clear Signing security brick. Please reach out to us through our Developer portal (http://developer.ledger.com) or Discord (https://discord.com/invite/ledger) so we can work together to add Clear Signing to your DApp.

We have detailed the cause of this hack and our security team’s response to this in a Ledger Connect Kit Incident Report on our Ledger tech and security blog: https://ledger.com/blog/security-incident-report.

We remind you your Ledger devices and Ledger Live have always been secure to use, and were not made vulnerable by this exploit.

If you believe you may have been affected by the attack, please reach out via our Ledger Help Center to find out more: https://support.ledger.com/hc/en-us/articles/15580506579101?support=true .Thank you again, stay safe and Happy Holidays.”

We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.

We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.

Ledger…

— Ledger (@Ledger) December 20, 2023

Ledger CEO Pascal Gauthier also committed to making Ledger customers whole: “My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.”

My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.

— Pascal Gauthier @Ledger (@_pgauthier) December 14, 2023

The Block explained the process of ‘Blind Signing’:

Blind signing refers to a process when a user is presented with raw data, interpretable by computers but unreadable to humans, to approve on-chain transactions with their private key.

Clear signing summarizes a transaction for a user to review and understand before executing it, Ledger explained in a June 2022 article.

Members of the crypto community received the news well and praised Ledger for its decision to stand by its customers through their reimbursement promise.

We are delighted that @Ledger is making the affected users of the Ledger Connect Kit incident whole.

This sets the bar for the expected accountability level for every Web3 company that undergoes security incidents that affect innocent users. https://t.co/ZepGG2b5aA

— MintDefense (@MintDefense) December 20, 2023

Holy shit ledger reimbursing victims, never thought id see the day.

— androolloyd.eth | 🦇 🔊 (@androolloyd) December 20, 2023

Blockworks further explained:

Ledger’s small display often requires paging through many — sometimes dozens — of screens showing encoded transaction details, which is why users often opted for blind signing.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.