Ledger to remove Blind Sign after Connect Kit exploit, promises to return funds

Crypto hardware wallet provider Ledger will enact changes to transaction signing processes after a Dec. 14 exploit in the Ledger Connect Kit software library.

"We are aware of approximately $600,000 in assets impacted, stolen from users blind signing on EVM DApps," Ledger wrote in a Wednesday X post. It's "committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024."

Both Ledger and non-Ledger customers who lost funds from the exploit will be "made whole" by the end of February 2024, the firm said, adding that those who signed a transaction on affected DApps should revoke unauthorized transactions to prevent the malicious code from affecting them further. 

"Our commitment is to work with the community and DApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across DApps," Ledger wrote.

Ledger ConnectKit security issue

Last week, a critical vulnerability affecting several decentralized applications impacted a software library that Ledger relied on, The Block previously reported. Potentially due to a compromise in the software library's specific content delivery network, malicious code had been injected into the front-ends of the apps that allowed the exploiter to steal assets. 

Ledger removed the malicious code after identifying it, but third-party organizations estimated that around $500,000 in funds had been affected around the time.