Ledger, one of the leading cryptocurrency hardware wallet manufacturers, announced on Friday that a bug had been found in the wallet’s Ethereum Chrome application, resulting in user funds being sent to an ETH address other than that specified.
Ledger Wallet Ethereum Chrome App Bug
The bug, which was discovered in the update 1.3.0 of the Ledger Wallet Ethereum Chrome App that was rolled out on Thursday, caused a static recipient address to all users instead of the actual recipient’s address. As a result, many wallet users found that their ETH, ETC, and some ERC20 token transactions never arrived at their intended destinations.
There is currently an issue on the Ledger Wallet Ethereum Chrome application, showing on screen a static address (same for all users). This looks more like a bug than a compromission. Engineering is working on it, we'll know more soon. PLEASE USE ONLY LEDGER LIVE / MEW MEANWHILE
According to Ledger, the issue impacted transactions within the Ethereum app between 8 pm CET Thursday and 10 am CET Friday. They report that approximately 64 transactions were affected, however, Etherscan shows an additional 15 transactions, for a total of 82. At the time of this writing, the erroneously displayed ETH address has received approximately 243.6 ETH – $98,595 at current prices – and an additional $17,635 in assorted ERC20 tokens.
Where did the additional 12 transactions come from? Were they related to the bug issue? Could the static ETH address have been an address used to test the update that somehow did not get removed prior to publishing? Hopefully, Ledger will be able to answer these questions in the coming days.
Ledger to Compensate 100% of Affected User Losses
Fortunately, other than user funds being sent to the wrong address, damage was relatively minimal. Ledger was quick to stress that ONLY version 1.3.0 of the Ledger Wallet Ethereum Chrome App was affected by the bug. All of the other Ledger Wallet Chrome apps – as well as Ledger Live – were unaffected. If there is any good news to be found in this situation, it is that Ledger became aware of the problem quickly and took steps to limit losses to users. Not only that, but the company has announced that it will cover 100% of user losses related to the issue:
We confirm this is a bug in the Chrome app, coming from a side effect when we pushed an update to invite users to use the Ledger Live instead of the Chrome app. A wrong address was shown on the computer. Ledger will cover 100% of all losses due to the issue.
Users who suffered losses as a result of the bug should go to the company’s Ledger Support page and select “Something went wrong with the ETH Chrome App” from the drop down form field. Complete the form and click the Submit button and someone from Ledger’s support team will be in contact with you.
Ledger is cautioning users of the Ethereum Chrome app to be sure to update to the latest patched version. To do this, all you need to do is shut down your Chrome browser and then re-start it. The application will then automatically install the patched update.
In light of the fact that Google will be discontinuing Chrome apps by year’s end, the Ledger highly recommends switching to Ledger Live, the new “all-in-one companion application for your Ledger device that runs on Windows, Mac, and Linux.”
Were you impacted by the Ledger Wallet Ethereum Chrome app bug? What do you think about the way Ledger handled the situation? Let us know in the comments below.
Images courtesy of Etherscan, Ledger