Urgent Security Update (Ledger library vulnerability)

Safety is of paramount importance to the cLabs team. We wanted to draw your attention to the recent announcement by Ledger of a vulnerability in recent versions of the Ledger connect-kit library due to an attacker inserting malicious code.

This affects web and mobile app frontends built using a range of libraries on EVM chains including Ethereum and Celo. The malicious code, added only today, could cause frontends to prompt users to sign malicious transactions.

:point_right: Call-to-action for users

We strongly urge all users to exercise caution and refrain from interacting with any web- or mobile-based dapp frontends until the teams responsible for them confirm it is safe to do so.

The Celo blockchain itself is not affected, only dapp frontends built using the affected library are.

Safety Confirmation for cLabs NPM Packages

The cLabs team has verified the safety of two crucial NPM packages: @celo/contractkit and @celo/celocli. Users can confidently continue utilizing these packages without concern for the recently discovered vulnerability.

Vulnerability Alert for @celo/rainbowkit-celo

However, we have identified a potential security risk for all frontends built using @celo/rainbowkit-celo. This vulnerability stems from the transitive dependency on @ledgerhq/connect-kit-loader, which is linked to the compromised library @ledgerhq/connect-kit.

The dependency chain is as follows:

@celo/rainbowkit-celo --uses–> @rainbow-me/rainbowkit --uses–> @wagmi/connectors --uses–> @ledgerhq/connect-kit-loader --loads–> @ledgerhq/connect-kit (compromised library).

:point_right: Call-to-action for developers

We strongly advise all developers to upgrade to @celo/rainbowkit-celo@1.1.1 or higher immediately. This version incorporates a critical patch from @wagmi/connectors@3.1.10, effectively removing the compromised ledger library and securing your frontend.

If you have questions, need assistance, or have a particularly sensitive issue, please reach out to devrel@celo.org.

Stay vigilant!