Welcome, and thank you for being part of the MyZucoins community! Let’s get into an interesting piece of crypto, finance, or tech news to stay ahead.
Ledger’s Supply Chain Attack Steals $600K+ From Crypto Wallets
Ledger, a prominent cryptocurrency hardware wallet manufacturer, provides its Connect Kit software that decentralized finance (DeFi) protocols like Lido, Metamask, Coinbase, and Sushi use to link decentralized applications to its products.
An industry-wide system exploit linked to Ledger’s Connect Kit software has put the decentralized finance protocol at risk, with Sushi being a notable victim of an exploit.
The exploit is sophisticated, manipulating the front-end of a website or application to deceive users into inadvertently sending their money to cybercriminals instead of their own wallets.
Sushi’s Chief Technology Officer, Matthew Lilley, urged users to avoid all interaction with these kinds of apps, known as “dApps”, until further notice, citing that a widely-used Web3 connector has been compromised.
It allowed the ability to inject harmful code affecting numerous connected apps.
The exploit reportedly entices users to connect their wallets via a pop-up, which then triggers a token-draining mechanism.
The issue was also reported across other DeFi websites such as Zapper and RevokeCash.
A significant revelation followed the hack, with Ledger admitting that a former employee fell for a phishing attack, which subsequently allowed a hacker to introduce malicious code into Ledger’s Connect Kit software.
The compromise originated from a phishing attack, baiting the account login details for the former employee’s NPM.JS account.
NPM.JS is a popular software code library repository where software developers upload code to a public place.
It’s useful and allows developers to bring other people’s code into their own apps, saving development time.
The company is currently prioritizing securing the compromised code library and investigating the breach, promising a comprehensive report later.
Despite the breach, Ledger has asserted that the core hardware and the main software application, Ledger Live, were not directly affected by this supply chain attack.
Ledger advises that all potentially impacted projects must replace their infected version with the clean copy before usage is safe.
Tether, a stablecoin issuer, has frozen the hacker’s funds.
Users are warned against engaging with any dApps for the time being, as a resolution to the situation is actively sought. Read more here.
Discover the boldest supply chain hack ever.
System update: 50k+ under-the-hood code changes coming to the Zucoin wallet app.
Blockchains are currently platforms of huge potential and trade-off issues.
How Zucoin’s Splitchain network architecture differs to traditional blockchains?
Explore the major Atomic crypto wallet security breach.
How Does Zucoin Focus On Fewer Third-Party Software Dependencies? Why Does It Matter For Security?
Ledger is one of the most popular cryptocurrency hardware products on the market, providing a secure way to store digital assets offline.
However, the breach in its ‘Ledger dApps Connect Kit’ software exposes a chink in its armor.
It serves as a stark reminder of the vulnerabilities inherent in relying heavily on third-party software libraries in your own systems.
Ledger has also had controversy due to their “private-key cloud recovery ability”, where users can have Ledger manage their crypto wallet private keys for them.
We are hopeful the Ledger team can put steps in place to prevent events like this from happening in the future and no doubt their technical teams are going through a lot of late nights to get it sorted.
Less is more when it comes to reliability and supply chain attacks.
The compromised code library allowed a wallet drainer to siphon off substantial funds, a threat further exacerbated by phishing attacks.
Although Ledger acted swiftly to mitigate the damage, the episode reveals the inherent risks of third-party dependencies.
In contrast to the conventional approach of bundling huge quantities of third-party code libraries, the Zucoin wallet app and Splitchain’s network use just a couple of well-proven and mature code libraries, that are infrequently updated, and only where absolutely needed.
Zucoin adopts a minimalistic approach.
For example, Zucoin’s use of a mature, well-established, third-party cryptography library and implementation was audited by Underwriters Laboratories (UL).
By limiting external dependencies, Zucoin effectively reduces the attack surface for potential supply chain exploits.
The fewer moving parts, the fewer things there are to go wrong.
The strategy of using fewer third-party dependencies, while challenging—as it means more groundwork has to be done upfront, offers several longer-term advantages:
- Improved Security: Fewer dependencies translate to fewer entry points for malicious threats. Zucoin’s approach reduces the risk of security breaches, ensuring a more robust defense against supply chain attacks.
- Greater Control Over Code: Direct oversight of the majority of its codebase allows Zucoin to implement stringent security protocols and respond swiftly to any vulnerabilities. Once its systems are open-sourced and more of the community experiments with its systems, this typically improves even more.
- Reduced Complexity: A streamlined codebase is easier to audit and maintain, leading to a more stable and reliable platform.
- Independence from External Vulnerabilities: Zucoin’s autonomy from the majority of third-party libraries shields it from the ripple effects of breaches in external systems.
The old software engineering saying goes, the safest code is the one that doesn’t get written.
Keeping bloat and the number of third-party code libraries down to a minimum is of high importance to the Zucoin team.
There’s a worrying culture in the software industry to bundle tons—often thousands upon thousands of third-party code files, from sources that are rarely reviewed or audited, directly into apps.
All you need is just one of these third-party code library files to be compromised with malicious code and your system or app will be compromised the next time you do an update.
Some say the solution is to never update your system.
But this is poor practice too, as many software updates patch existing holes in software.
We need to look deeper.
One reason it happens is that many software developers have strict deadlines to build hugely complex systems.
To save time, they look for a piece of code that fills a gap from a public location like NPM.JS, and they quickly put it into their own system’s code, with little consideration for long-term maintenance or safety.
Even if that third-party software is good today, there’s nothing stopping that third-party software from getting quietly acquired or compromised in a few months’ time due to an update that contains a malicious script.
Every system using that piece of software is now quietly compromised.
This process is at the heart of the “supply chain attack” strategy.
It’s a trend we find happening in more and more industries too, not just in software development.
Many kinds of newer infrastructure projects, as well as cars, houses and tools, for example, aren’t made to last as long as their older counterparts built many decades ago.
Imagine if electricity power-poles had to be rebuilt every two weeks, instead of every 40 years?
It’s known as “planned obsolesce“.
Labor is expensive and technology is cheap.
In the industrial era and prior, the opposite was true.
Labor was cheap and technology was expensive.
This change forces a short-term focus instead of a long-term focus.
More things get rebuilt more often.
More energy and effort are wasted.
It hurts the ability for things to compound.
When you’re building a protocol like Splitchain, as Bitcoin proved, planning for long-term infrastructure maintenance and sustainability is key.
For Zucoin, the aim is to reduce the number of widespread changes Splitchain needs.
The fewer updates the Splitchain network needs, the better and closer it is to being a protocol.
Since the Splitchain network’s beta launch in Feb 2022, only 14 network updates have been released.
When it comes to the next major Zucoin and Splitchain updates, a lot of this comes down to the bulk transaction automation tool, Zubot, which isn’t part of the Splitchain network’s operation.
It’s just that—a tool on top of Splitchain.
The Splitchain network doesn’t need the Zubot to operate.
Most of the time, solutions that are short-term usually won’t last and will ruin the odds of Splitchain becoming a long-lived decentralized protocol.
They’re tempting because they’re easier.
The Ledger supply chain attack is a cautionary tale highlighting the perils of over-dependence on third-party software.
It demonstrates how even robust systems can be compromised through indirect channels.
This incident should prompt organizations to reassess their reliance on external libraries, as Zucoin has focused on for their core systems.
Open source is another key component of mitigating this risk.
Allowing others to run their own versions of Splitchain and the Zucoin wallet app, will allow for more decentralization to form.
In this scenario, if one person is affected by a supply chain attack or malware, its odds of spreading are reduced.
Checksums are also another area that minimizes these risks, by checking the code package itself against an expected cryptographic hash to ensure the code hasn’t been tampered with.
But these can be tricky to implement too, as the secondary source used to check consistency could be compromised too.
Perhaps this is something that could be placed within Splitchain transactions themself?
As pioneer computer scientist Edsger W. Dijkstra once said, “Simplicity is a prerequisite for reliability.”
If you liked this newsletter, please forward it to someone who might like it too.
You can also donate here or even buy some Zucoins. Every little bit helps us improve.
What did you think of this newsletter? Reply to send us feedback on what you liked or want to see featured more. There’s more coming, so stay tuned.
—
All the best,
—Rob
MyZucoins
Disclaimer: Of course, this is not advice, financial or otherwise. It’s also important to consider the risks and challenges associated with any potential benefits.