- The Ledger wallet hack was entirely preventable, says David Schwed, COO of blockchain security firm Halborn
- Schwed says that adopting security practices from mature industries would have prevented the theft of $600,000 from users
- The hack exposed vulnerabilities in Ledger’s software management processes, according to Schwed
The recent hack that saw some $600,000 stolen from Ledger wallet users was “100% preventable” according to a digital asset security expert. Writing in Forbes, David Schwed, COO of the blockchain security firm Halborn, said that the hack could have been prevented if “security practices that are second nature in more mature industries” had been applied by Ledger. According to Schwed, anti-phishing training and the implementation of other security protocols would have helped prevent unauthorized access, with the losses fortunately reduced thanks to a quick patch.
Crypto Projects Need to Up Their Game
In the late hours of December 14, a malicious attack targeted Ledger’s Connect Kit, injecting harmful “drainer” code into the widely used software component maintained by the hardware wallet maker. This attack, which affected web3 websites globally, exposed a vulnerability not within the code itself but in the process of managing it. While the damage to crypto users was mitigated after a quick patch, the incident highlights a pervasive issue in cryptocurrency projects—immature or underfunded security measures that focus primarily on code vulnerabilities.
Schwed claims that the compromised code, detected by the third-party firm Blockaid instead of Ledger, underscores the lack of a robust code-update-monitoring process within crypto projects. The attack, preventable with a basic monitoring system, indicates, he says, a need for a shift in security standards within the cryptocurrency space, aligning with more comprehensive security reviews seen in traditional banking.
Connect Kit, functioning as infrastructure plumbing for a network of distributed apps, controls third-party apps’ access to cryptocurrency stored in Ledger’s hardware dongles. The hack, categorized as a supply-chain attack, emphasized the vulnerability of behind-the-scenes infrastructure, akin to the SolarWinds hack in 2020. While the Ledger incident was swiftly resolved, Schwed says that it exposed flaws in how Ledger managed its supposedly hyper-secure software.
Phishing Attack Led to Compromise
The compromise originated from a phishing attack targeting a former Ledger employee, leading to unauthorized access, with Schwed adding that anti-phishing training might have averted this initial failure. However, a more severe lapse occurred as the ex-employee retained access to a Ledger JavaScript package managed through a third-party service, NPM. The failure to revoke access post-employment constituted another significant process flaw.
Schwed adds that the incident underscores the need for a more comprehensive security approach in the cryptocurrency industry, addressing process flaws beyond traditional code-focused reviews.