Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
banteg Profile picture
@bantg
Dec 14 5 tweets 3 min read Twitter logo Read on Twitter
🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.
cdn.jsdelivr.net/npm/@ledgerhq/…
Image
seems ledger connect-kit-loader is also vulnerable since it specified the dep loosely


possible list of affected parties
github.com/LedgerHQ/conne…
sourcegraph.com/search?q=conte…
ledger asks to use connect-kit loader to load connect-kit, but even if you follow the best practices and pin the version of the loader loader, it fetches the latest version of connect-kit >=1.0.0, <2.0.0.

this has allowed the attackers to infiltrate a shitton of libraries by compromising just the connect-kit. last known version coming from ledger is 1.1.4. three releases up to 1.1.7 were posted today, all should be considered compromised.
ledger pushed a new version, @1 should match 1.1.8 now.

it still doesn't add strict version pinning, which is better addressed here.

the version is still not on npm yet though and it doesn't guarantee the fix if the attacker can still publish new packages.
github.com/LedgerHQ/conne…
github.com/LedgerHQ/conne…
npmjs.com/package/@ledge…
cdn code looks updated, the vulnerability is contained.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with banteg

banteg Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @bantg

banteg Profile picture
Nov 28, 2022
🚨 weth hack went unnoticed since 2019

after investigating more than 90 million deposit and withdrawal events, i've found a supply discrepancy between the total supply weth contract reports and the actual outstanding weth.
it appears the contract holds 1 wei more than it owes. how is it possible?

the contract mints a token when you send ether to it. it doesn't track the token supply, using its own ether balance instead.

but there are two ways to send ether without triggering a contract.
first, you can set it as a block reward recipient. it will update the state, but won't run the contract code.

second, what our hacker has used, is selfdestruct (soon to be sendall). it destroys the contract and sends all ether balance to another address, without alerting it.
Read 8 tweets
banteg Profile picture
Aug 19, 2022
uniswap has provided an unusual level of transparency re their frontend censoring via trm labs.

they have even shared the logs from their server.
screening-worker.uniswap.workers.dev/?namespace=BLO…

i've saved and analyzed them. Image
there are seven categories which contribute to risk factors and two risk levels, high and severe.

both ownership and being a counterparty of a "bad" address are checked and can contribute to blocking. Image
some blocked addresses live an interesting life, appearing on all lists, which sounds like a very unlikely combination of criminal activities. Image
Read 7 tweets
banteg Profile picture
Aug 18, 2022
ethereum addresses have been in ofac list from as early as september 2020

how come you didn't care before, fednon?

i have an explanation. because you are a fucking larp. Image
the address im showing here is a contract by the way, so don't even start the shit about tornado designation being "unprecedented".

put the fed cock out of your mouth and have some decency.

etherscan.io/address/0x8576…
here is an idea for the fed devs, why not also ban 401,548 addresses which use exactly the same unverified (must be hiding something) bytecode? surely this code is up to no good. might be the same guy even.
Read 4 tweets
banteg Profile picture
Aug 12, 2022
Arrest of suspected developer of Tornado Cash - FIOD fiod.nl/arrest-of-susp…
My sources claim it's @alex_pertsev
The accusations are straight out lies as always.
Read 4 tweets
banteg Profile picture
Aug 11, 2022
It appears oasis.app, following Uniswap, has started sending all your data to TRM Labs. This is what happens when you connect with an address they don't like. No way to close positions from the UI, no explanation or anything. Image
Image
You can disable TRM "for development purposes" if you were limited.
github.com/OasisDEX/oasis…
Read 4 tweets
banteg Profile picture
Aug 10, 2022
Around 5000 blocks till Görli/Prater merge. Seems I won't make it this time. Are there any tricks to make Lighthouse sync faster? Image
can bunny make it this time?
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(