- Ledger has revealed that it will stop allowing blind signing on dApps by June 2024
- The hardware wallet maker believes that blind signing contributed to the recent exploit on its wallet
- Ledger also announced it will reimburse users who lost funds in the exploit involving its Connect kit
Hardware wallet maker Ledger has announced that it will stop enabling blind signing on dApps by June next year saying that the option enabled malicious actors to siphon around $600,000 from user wallets. Ledger said that it will stick to clear signing, adding that it will reimburse those affected by the recent exploit. The hardware wallet manufacturer has asked web3 developers to support the switch to clear signing saying it will help protect users, something that has been an uphill task even for prominent blockchain projects.
Revoke Permissions to Prevent Further Losses
According to Ledger, blind signing gives malicious actors a chance to confuse signers because transaction information is presented in a format that’s unreadable by humans. Ledger said that clear signing promotes human-readable transaction details enabling signers to “see and verify exactly what [they] sign on a secure display.”
We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.
We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.
Ledger…
— Ledger (@Ledger) December 20, 2023
The wallet company advised those who suspect that they had authorized transactions from a malicious Dapp involved in the recent exploit to revoke the permissions to prevent further losses.
In a security incident report released on December 20, the Ledger team disclosed that the hacker gained access to the platform through a former employee who “fell victim to a sophisticated phishing attack.”
A Malicious Ledger Connect Kit
The attacker used the ex-employee’s account to publish a “malicious version of the Ledger Connect Kit” which he then used to siphon user funds.
Although it is a rare occurrence for the hardware maker, it’s not the first controversy surrounding its products. Seven months ago, for example, the company was forced to postpone the launch of Ledger Recover due to community backlash. It conducted the launch two months ago.
With Ledger disallowing blind signing, it reduces the number of ways malicious actors can get to their users.