ledger nano s hack question

[simplyred]

I was going to send erc20 token from my ledger nano s, and on the ledger device itself i always get some other address when i was going to send.

Is this the contract address that i am seeing or am i infected from this ledger nano s malwere/Hack that happend in februar ?

Because i always thought i should be looking at the exact receiving address on the device itself.

thanks guys.

[1715189760]

1715189760

[1715189760]

1715189760

[Xynerise]

When you're sending ERC20 tokens with the Ledger, the address that shows on the Ledger device is the smart contract address of the token, because that's how smart contract tokens work: addresses in ethereum don't "own" tokens; the smart contract does.
The smart contract is just an array of addresses with the token balance of the addresses.
So whenever you're sending tokens to another address, you're actually sending a call to the smart contract to update Its mapping of tokens and update the balances to reflect your transaction.

[simplyred]

thanks Xynerise

But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?

[RGBKey]

I'm not sure there is a way to, because I don't think the ledger displays the contract data being sent.

[bob123]

It's using a Hierarchical Deterministic architecture. The main idea is to avoid address reuse by deriving all keys from a master key and an index, so all previously generated key are valid.

This is normal for the Nano S to always have a different address.

Did you even read the thread/OP? Thats completely irrelevant.

Because i always thought i should be looking at the exact receiving address on the device itself.

This applys for the 'receiving' address of your nano s.
This is to ensure the private key which is necessary to spend funds from this address has been created by your nano s.
That step prevents malware from manipulating your screen (to mislead you into sending coins to that 'faked' address).

But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?

You have to verify your address (when receiving coins 'to your nano s') to make sure it has been properly created by your device.
When sending coins you will have to verify the transaction details on your nano s.
If you always carefully check whether the details on monitor / nano s screen match, you are good to go.

[HCP]

... or am i infected from this ledger nano s malwere/Hack that happend in februar ?

But how can i then know if i am sending to the right address, not the hackers address  ( the februar hack address thing ) ?

It should be pointed out that there was no ACTUAL malware/hack... What happened was that:

1. Someone pointed out a potential vulnerability with the way the Ledger Chrome App displays addresses in the app... there was no "confirmation" option when displaying receive addresses, so malware COULD potentially alter it to a hackers address and trick people into giving out incorrect addresses. This was ONLY for "receive" addresses... it did not apply to addresses you were sending to, as they were always displayed on the device BEFORE you confirmed a send transaction.

2. There was also the announcement recently about a vulnerability that existed pre-firmware 1.4.1... again, there was NO actual malware/hack known to exist in the wild, simply a proof of concept (not fully disclosed, details due for release Mar 20th)... it was uncovered by a 3rd party, they advised Ledger who patched it in the latest firmware.

As far as I'm aware... there were no known cases of malware exploiting either of these vulnerabilities before they were patched.

[crypto_sec_please]

To verify the smart contract address you can check with the company or creator themselves, they should have some authoritative confirmation of the address. Most likely, if you have tokens already, you can check where you sent the original transaction to and if it matches. Various third parties like ethscan also provide community feedback on addresses, and often scammers addresses will have relevant feedback. Best to check in multiple ways that the contract you believe it to be is what it is rather than rely on just one confirmation from one source.