Dynamic Labs - 🚨 Important update on Ledger ConnectKit vulnerability – Incident details

All systems operational

🚨 Important update on Ledger ConnectKit vulnerability

Resolved
Operational
Started 7 months agoLasted less than a minute

Affected

SDK

Operational from 4:13 PM to 4:13 PM

Updates
  • Resolved
    Resolved

    🚨 Important update on Ledger ConnectKit vulnerability:

    tl;dr - Dynamic is not affected. We recommend upgrading to the latest Wagmi version (if you use Wagmi) out of an abundance of caution.

    What is the issue
    The Ledger ConnectKit experienced a supply chain attack. Wagmi uses that SDK as part of its package, but does not use it unless the Ledger Connector is called directly. Dynamic does not use the Wagmi or Ledger ConnectKit SDKs.

    How does it affect you

    • The Dynamic SDK itself does not depend on Wagmi or Ledger ConnectKit. If you use Dynamic directly, you are not affected.
    • If you use Dynamic+Wagmi, you may want to upgrade our SDK to the latest version (v1.0.1 and v0.19.6). Dynamic's connector uses Wagmi as a peer dependency, but does not use the Ledger Connector.
    • If you're still on v0.18.100-viem.30 of Dynamic, you may want to upgrade your Wagmi library as well.

    What to do if I use Wagmi
    You can do one of two things:

    • We released a new version of our V1, and 0.19 libraries. These include the updated Wagmi library. Please update to the latest version.
    • If you use Wagmi directly or would like to just upgrade version, install SDK 1.4.12.
      (note that if you use yarn, you have to manually upgrade the package)

    What this fix does in Wagmi connector
    This fix bumps the affected peer dependency Wagmi library being installed. There are no code changes required besides the version bump.

    Again, if you use Dynamic without Wagmi, you are not affected.