Important measures following the drainer hack on all dApps.

Attention: Many dApps are currently compromised and contain wallet drainers. It's recommended not to interact with any dApps until you are sure that your browser cached version 1.1.8 of the connect-kit.

Polkastarter Team
Polkastarter Team
🚨
Attention: Many dApps are currently compromised and contain wallet drainers. It's recommended not to interact with any dApps until you are sure that your browser cached version 1.1.8 of ledgerhq connect-kit.

HOW TO CHECK 
To make sure you don't have the malicious library cached, go to https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1 and ensure the version is 1.1.8. If it's not, clear your cache. 

As an extra security step, check this with every dApp to make sure it updated everywhere.

HOW TO CLEAR CACHE BY HARD REFRESH 
⚠️ You'll have to hard refresh while visiting the dependency. Click on this link and hard refresh while being on that page: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1

  • Google Chrome
    • Windows: hold down Ctrl and then press F5 on your keyboard
    • Mac: hold down Cmd and Shift and then press R on your keyboard
  • Firefox
    • Windows: hold down Ctrl and then press F5 on your keyboard
    • Mac: hold down ? Cmd and ? Shift and then press R on your keyboard
  • Safari (Mac)
    • Go to Safari > Empty Cache, or hit Opt + Cmd + E
    • To refresh, click the refresh button on the address bar or press Cmd + R
  • Internet Explorer/Microsoft Edge (Windows)
    • Hold down Ctrl and then press F5 on your keyboard

HOW POLKASTARTER TOOK MEASURES
We’ve updated the package that uses the ledger package as a dependency. Polkastarter doesn’t use the LedgerConnector directly, so no issues on that end.

Users still need to double-check what version they are on since your cache might contain the wrong one. Please check the first point again if you’re not sure.

Please follow the updates and stay vigilant! Reach out to our support team on Telegram or Discord if you’re in doubt.

HOW DID THE CONNECT-KIT HACK HAPPEN
1. Ledger is loading JS from a CDN.
2. They are not version locking loaded JS.
3. They had their CDN compromised.

When users connect their wallets with the compromised version, they activate a drainer function. This happened to only a few users and the damage seems so far under control. 


SOURCES AND THANKS
Thanks to the crypto community for keeping us all informed. We got pieces of information very quickly thanks to following captains:
https://twitter.com/bantg/status/1735279127752540465 
https://twitter.com/officer_cia/status/1735276914321846498
https://twitter.com/Mudit__Gupta/status/1735301007188406681