Ledger to Deactivate Blind Signing on Dapps

Reading Time: 2 minutes
  • Ledger has revealed that it will stop allowing blind signing on dApps by June 2024
  • The hardware wallet maker believes that blind signing contributed to the recent exploit on its wallet
  • Ledger also announced it will reimburse users who lost funds in the exploit involving its Connect kit

 

Hardware wallet maker Ledger has announced that it will stop enabling blind signing on dApps by June next year saying that the option enabled malicious actors to siphon around $600,000 from user wallets. Ledger said that it will stick to clear signing, adding that it will reimburse those affected by the recent exploit. The hardware wallet manufacturer has asked web3 developers to support the switch to clear signing saying it will help protect users, something that has been an uphill task even for prominent blockchain projects.

Revoke Permissions to Prevent Further Losses

According to Ledger, blind signing gives malicious actors a chance to confuse signers because transaction information is presented in a format that’s unreadable by humans. Ledger said that clear signing promotes human-readable transaction details enabling signers to “see and verify exactly what [they] sign on a secure display.”

The wallet company advised those who suspect that they had authorized transactions from a malicious Dapp involved in the recent exploit to revoke the permissions to prevent further losses.

In a security incident report released on December 20, the Ledger team disclosed that the hacker gained access to the platform through a former employee who “fell victim to a sophisticated phishing attack.” 

A Malicious Ledger Connect Kit

The attacker used the ex-employee’s account to publish a “malicious version of the Ledger Connect Kit” which he then used to siphon user funds.

Although it is a rare occurrence for the hardware maker, it’s not the first controversy surrounding its products. Seven months ago, for example, the company was forced to postpone the launch of Ledger Recover due to community backlash. It conducted the launch two months ago.

With Ledger disallowing blind signing, it reduces the number of ways malicious actors can get to their users.

 

Share