Gryphsis Cryptocurrency Weekly: Hardware Wallet Ledger Attacked for $484,000 Due to Security Vulnerability

Gryphsis Academy
2023-12-20 10:38:43
Collection
Hackers inserted malicious code into the Github repository of Connect Kit maintained by the cryptocurrency wallet company Ledger. This vulnerability may affect the front end of all protocols using Connect Kit, with several major DeFi protocols impacted, including Sushi, Lido, Metamask, and Coinbase.

Author: Gryphsis

Market and Industry Snapshot:

Layer 2 Overview:

Last week, Layer 2 experienced significant fluctuations, with Base and Starknet growing by 18.99% and 10.59% respectively, while the rest showed negative growth. Protocols like Poolshark, ApeX Protocol, Seamless Protocol, and SyncYield demonstrated noteworthy TVL growth rates.

LSD Sector Overview:

In the LSD sector, Ethereum staking and deposits remained relatively stable, but total withdrawals increased significantly. In terms of market share, most blue-chip LSDs declined, with wstETH showing the most notable drop of 14.66% this week.

RWA Sector Overview:

Last week, the overall market for real-world assets (RWA) saw a significant increase, with market capitalization rising by 36.43% and 24-hour trading volume growing by 43.42%, bringing the overall industry share up to 0.12%. The tokenized treasury and tokenized U.S. Treasury bonds showed stable performance. Notable growth tokens included $CTC, $STBU, and $DEXTF, while tokens like $TIA, $ELAND, and $FACTR experienced substantial losses.

Main Topics

Macroeconomic Overview:

  • US Stock V.S. Crypto

Major Events This Week:

  • Ledger Hardware Wallet Hacked Due to Security Flaw

Weekly Protocol Recommendation:

  • Kujira

Weekly VC Investment Focus

  • Liquidium ($1.25M)

  • NodeKit ($1.2M)

  • Dynamic ($13.5M)

Twitter Alpha:

Macroeconomic Overview

This week, the stock market and the crypto industry showed opposing trends, with SPX and NASDAQ increasing by 2.49% and 2.85% respectively. In the coming week, key events to watch include CPI, building permits, CB consumer confidence index, and core durable goods orders.

Major Events This Week

Ledger Hardware Wallet Hacked for $484,000 Due to Security Flaw

Hackers inserted malicious code into the GitHub repository of Connect Kit maintained by crypto wallet company Ledger. Since Ledger's Connect Kit is a piece of code that allows DeFi protocols to connect to crypto hardware wallets, the vulnerability could affect the front end of all protocols using Connect Kit. Several major DeFi protocols, including Sushi, Lido, Metamask, and Coinbase, were impacted.

Due to Ledger's security vulnerability, multiple Ethereum-based applications, including Zapper, SushiSwap, Phantom, Balancer, and Revoke, were compromised. Paris-based crypto hardware wallet manufacturer Ledger stated that it had fixed the malicious code by 13:35 UTC and warned users to "clearly sign" transactions to ensure direct interaction with the company's website and software. It remains unclear how many dapps were affected or how much money was lost. Sporadic reports on social media indicate that the vulnerability was widespread.

Sushi's CTO Matthew Lilley wrote on Twitter, "Do not interact with any dApps until further notice." He was one of the first to acknowledge the attack, stating, "It seems a commonly used Web3 connector has been compromised, allowing malicious code injection to affect many dApps."

Although Ledger has updated its code, Ido Ben-Natan, CEO of blockchain security firm Blockaid, told CoinDesk in a Telegram message that "many sites are still affected, and users are being hit." To completely eliminate the risk, every protocol using Ledger Connect Kit must manually update its library version. Meanwhile, several protocols remain at risk, particularly services like revoke.cash that are used to remove permissions from DeFi protocols.

Hacking incidents in the cryptocurrency space are common, especially in the DeFi world, where financial software is often deployed without proper auditing and testing, and is used by individuals lacking adequate due diligence knowledge. Centralized entities like Ledger are also common targets.

https://www.coindesk.com/consensus-magazine/2023/12/14/what-we-know-about-the-massive-ledger-hack/

Weekly Protocol Recommendation

Welcome to our weekly protocol segment—where we focus on protocols making waves in the crypto space. This week, we have chosen Kujira, a Layer 1 financial public chain on Cosmos centered around trading & yield.

Kujira initially launched the ORCA protocol on Terra, focusing on collateral liquidation protocols that allow users to purchase low-priced liquidation orders. After the collapse of Terra, Kujira pivoted to a financial public chain developed using the Cosmos SDK and has developed a suite of native service products:

  1. Orca: A collateral liquidation protocol that liquidates various collateral tokens in the Cosmos ecosystem.

  2. FIN: An order book model DEX.

  3. Bow: An automated market maker that allows users to profit by providing liquidity.

  4. Ghost: A money market providing lending services.

  5. Pilot: A launchpad platform built in collaboration with Kujira and Fuzion, allowing equal participation based on the Orca bidding process.

  6. Blue: One of the core infrastructures for managing tokens, staking, voting, and exchanges.

These DeFi suite services, such as liquidation, lending, staking, wallets, etc., serve as infrastructure to help any protocol looking to leverage Kujira to launch its products with liquidity, achieving composability. Since then, Kujira has committed to providing financial solutions for Web3 developers, protocols, and users as a sovereign blockchain. Additionally, Kujira's ecosystem currently includes 25 protocols, 75 validators, 5 community tools, and has completed product integrations with 21 other protocols.

Kujira's native token $KUJI has a total supply cap of 122.4M and no inflation mechanism. The token is used for paying network fees, dapp fees, staking, and governance. Network fees are distributed to token holders; users staking tokens through validators receive a basket of asset fees returned by the network, and stakers will receive various tokens, as the network does not directly convert these assets into $KUJI, thus diversifying users' assets.

Rewards earned by staking $KUJI in Leap

Kujira's future roadmap includes launching BFIT, Sonar wallet, DLOYAL, Merch Store, domain services, etc., continually expanding services to help more products deploy quickly.

Our Insights

Kujira has shown strong growth momentum this year, with a TVL of only 3M at the beginning of 2023, which has now reached 120.5M, nearly a 40-fold increase. Compared to its competitors Frax and Injective, it ranks second in TVL, about 10 times lower than Frax, but its market cap and FDV are not far apart, with a 24-hour trading volume exceeding that of Frax.

In terms of product updates, Kujira has launched a test version of the Sonar Wallet, expanded its service suite; launched the Pancake $KUJI-$BNB liquidity pool; launched Helix DEX on Injective; OPNX launched perpetual trading for $KUJI; supported $RIO-$USK liquidity pool…

Notably, on November 25, Kujira announced the completion of integration with Wormhole, introducing $SOL assets as the first batch. This collaboration also means Kujira's products and services will be able to connect with over 30 mainstream blockchains supported by Wormhole, significantly expanding its usability and user base. Relatively speaking, Kujira's recent actions are evident, whether in liquidity expansion or product updates, with clear positive expectations.

Moreover, since Kujira is a collateral-based network, all dapps within the Kujira ecosystem can share this liquidity, staking tokens to protect the network, and users can interact across various dapps to earn multiple asset rewards. Additionally, because Kujira is built on the Cosmos network, it can interact with other Cosmos ecosystem projects through the IBC protocol, greatly expanding interaction scenarios.

Source: Mapofzones

Overall, Kujira currently has a very rich infrastructure, laying a stable foundation for cross-chain interoperability, staking, governance, and other functions, which are essential for the prosperity of the ecosystem. Although its competitors Frax and Injective are also developing their own DeFi service suites, Kujira's functionality is more robust, with its own advantages in both breadth and depth.

https://www.panewslab.com/zh/articledetails/8847uif5.html

Gryphsis Research Focus

Welcome to this week's "Gryphsis Research Focus," where we share our team's latest insights. Our dedicated research team continuously explores cutting-edge trends, developments, and breakthroughs in the crypto space. This week, we are excited to share our newly released report, so let's dive in!

TL;DR:

  1. The commercial applications of generative AI became a global sensation in 2022, but as the novelty wears off, some current issues of generative AI are gradually emerging. The maturing Web3 space, with its fully transparent, verifiable, and decentralized characteristics, provides new ideas for solving generative AI problems.

  2. Generative AI is an emerging technology in recent years, developed based on deep learning neural network frameworks, with diffusion models for image generation and large language models for ChatGPT showing immense commercial potential.

  3. The implementation architecture of generative AI in Web3 includes infrastructure, models, applications, and data, with the data part being particularly important when combined with Web3, having vast development space, especially on-chain data models, AI agent projects, and vertical domain applications that have the potential to become key development directions in the future.

  4. Currently, popular projects in the AI track of Web3 show insufficient fundamentals and weak token value capture capabilities, with future expectations mainly relying on new hype or updates in token economics.

  5. Generative AI has enormous potential in the Web3 space, and there are many new narratives worth looking forward to in the future that combine with other software and hardware technologies.

Full report: https://link.medium.com/9IWPsgisBFb

Weekly VC Investment Focus

Welcome to our weekly investment focus, where we reveal the most significant venture capital dynamics in the crypto space. Each week, we will highlight the protocols that have received the most funding.

Liquidium

Liquidium is a peer-to-peer lending solution that leverages the powerful capabilities of discrete log contracts (DLC) and partially signed Bitcoin transactions (PSBT), allowing users to borrow and lend native Bitcoin using ordinal inscriptions as collateral. Ordinal inscriptions are a new form of digital asset created by engraving data on satoshis (the smallest unit of Bitcoin).

https://x.com/LiquidiumFi/status/1734146133499240849?s=20

NodeKit

NodeKit raised $1.2M in seed funding on the Avalanche-based platform SEQ, which is a Layer 1 subnet designed for high-performance rollup chains. SEQ will operate as an independent blockchain or a subnet within the Avalanche ecosystem, supporting most existing rollup chains and featuring cross-chain interoperability. The testnet for SEQ is planned for launch in 2024, with the mainnet to follow later.

https://x.com/nodekitorg/status/1734955629591322985?s=20

Dynamic

Dynamic is an authentication and authorization platform based on a multi-chain wallet, enabling developers to leverage wallet-based interaction features in minutes. With Dynamic, developers can install a simple SDK in under a minute and manage all authentication, onboarding, and authorization functions from the developer dashboard. Developers can add other chains with a click, manage their users, create complex onboarding processes, and use Chainalysis to block OFAC and risk wallets, all without writing code.

https://x.com/dynamic_xyz/status/1734959297002611007?s=20

Protocol Events

Synthetix to end SNX token inflation, shift focus to buybacks and burns

Aptos unlocks nearly 25 million APT tokens, worth over $200 million

SSV Ethereum staking network launches permissionless mainnet

Celestia to integrate data availability layer with Polygon CDK

Worldcoin unveils integrations with Minecraft, Reddit, Telegram, and Shopify

Industry Updates

KuCoin settles with New York for $22 million and agrees to block users from the state: Reuters

CFTC votes to propose a rule that would bolster customer protections in the wake of FTX collapse

FASB publishes new crypto rules that will let firms use fair-value accounting

Swarm launches a permissionless trading platform for tokenized real-world assets

IRS counts down the biggest crypto fraud schemes of the year

Twitter Alpha

There is a lot of Alpha hidden in crypto Twitter, but navigating through thousands of Twitter threads can be challenging. Each week, we spend hours researching to curate insightful threads and present you with a weekly selection. Let's dive in!

https://x.com/DamiDefi/status/1733862410375586288?s=20

https://x.com/ViktorDefi/status/1733518275181728092?s=20

https://twitter.com/hmalviya9/status/1735247343937798517?s=19

https://twitter.com/zerokn0wledge_/status/1735146656478396419?s=19

https://twitter.com/0xAndrewMoh/status/1735134758492119110?s=19

Upcoming Events

News Sources:

https://www.theblockbeats.info/news/47438

https://www.theblock.co/post/267532/cftc-votes-to-propose-rule-that-would-bolster-customer-protections-in-wake-of-ftx-collapse

https://www.theblock.co/post/267447/fasb-publishes-new-crypto-rules-that-will-let-firms-use-fair-value-accounting

https://www.theblock.co/post/267229/swarm-launches-permissionless-trading-platform-for-tokenized-real-world-assets

https://www.theblock.co/post/267293/irs-counts-down-biggest-crypto-fraud-schemes-of-the-year

That concludes this week's report. Thank you for reading our weekly newsletter. We hope you benefit from our insights and observations.

You can follow us on Twitter and Medium for real-time updates. See you next time!

This newsletter is for informational purposes only. It should not be considered investment advice. You should conduct your own research and consult independent financial, tax, or legal advisors before making any investment decisions. Past performance of any asset does not guarantee future results.

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
ChainCatcher Building the Web3 world with innovators