Supply chain attacks: What you need to know to protect your assets
Supply chain attacks are one of the most potent security threats for owners of bitcoin and other digital assets to consider. Today there was a massive security event that affected hundreds of crypto applications.
While Casa is not affected, we want to provide guidance when uncertainty arises with respect to securing assets in self-custody. In this article, we will explain what happened, why it matters, and how you can keep your assets safe.
What is a supply chain attack?
What is a supply chain attack? It's when a malicious entity inserts themselves in between you and the trusted source providing the functionality you're using. Supply chain attacks need not be physical in nature (against hardware) — they can also attack the actual delivery of code that gets executed on your device.
What happened with the Ledger attack
The vulnerability exposed recently pertains to the Ledger Connect Kit, a software library commonly used in other apps. Libraries are an everyday tool for software development and allow engineers to build and ship apps faster. The downside of libraries is when they contain a vulnerability, it can be exploited downstream in other apps that use the library. This is one of many reasons why apps require updates from time to time.
🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv
— banteg (@bantg) December 14, 2023
For a few hours earlier today, anyone who used an app that loaded the Ledger Connect Kit would have had malicious code loaded into the app. Early reports indicate the malicious code creates a fake "Ledger" entry on the pop-up where you select your wallet. It may also make signature request pop-ups in a browser wallet to approve sending funds to the attacker account. To be clear, you can be at risk even if you aren’t using a Ledger device.
What we're seeing today is a (digital) supply chain attack against code that is used by many crypto projects.
— Jameson Lopp (@lopp) December 14, 2023
JS library attacks aren't new, but this one seems worse than usual because the library is "hot loaded" rather than pinned to a version with an integrity check hash.
Today's supply chain attack injected a wallet drainer into Ledger's "wallet connect" library that gets loaded by many web3 / DeFi apps. What is a wallet drainer? Basically, it's a smart contract which, if given approval to control your wallet, will steal all of the funds. The key point being that it must be given approval by you via a cryptographically signed message. As such, wallet drainer attackers will try to be as sneaky as possible to trick you into approving that their contract can access your funds. For example:
Why Casa vaults are safe
Casa members who are using our Pay wallet or multi-key vaults for their BTC, ETH, and stablecoins are not affected by this supply chain attack. Because Casa vaults require multiple keys and signatures to send transactions, a single signature of the malicious wallet drainer contract would not be sufficient to take control of your funds. At worst, it would be able to drain the funds from whatever single-signature account you have tied to your daily driver DeFi wallet.
Casa's vaults are designed to withstand supply chain attacks. In the context of Casa's architecture, which distributes multiple keys across different hardware devices, this diversity provides robustness against such attacks. How? Even if one key's hardware or software is compromised, the rest remain secure. The likelihood of an attacker executing multiple simultaneous supply chain attacks is essentially zero.
While Ledger has fixed the underlying code issue, it's still possible you may accidentally load some cached malicious code for the next day or so. To make sure you don't have the malicious library cached, go to https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit and ensure the version is 1.1.8.
If it's not, clear your browser cache. In Chrome this can be accomplished via F12> Chrome Developer Tools > Application tab > Storage in left tree> Clear site data.
Beware single points of failure
Today's attack was a fascinating example of how, despite the widely distributed and decentralized nature of the crypto ecosystem in many regards, there are still single points of failure. It's astounding that a single compromised (former) employee account at one company can result in countless users' funds being put at risk due to the interconnected nature of widely adopted software libraries.
Single signature wallet == single point of failure.
— Jameson Lopp (@lopp) November 25, 2023
Don't put more money into single sig than you're willing to lose!
Sorry, I don't make the rules...
If you have substantial savings, they should be protected by more than one key. The best time to protect your assets is right now, before the next attack.
Don’t be afraid of security threats — take action
If you’re wondering if your assets are safe on a hot wallet, custodian, or exchange, now’s your chance to be proactive. With Casa, you can safely take self-custody of your assets with your multi-key vault for greater protection from supply chain attacks and many other threats.
Get started with your own 3-key vault here.