- 1inch web dApp users encountered ‘Ace drainer’ pop-ups through vulnerabilities in the Lottie Player animation library.
- Only 1inch’s web dApp experienced issues, prompting revocation of ERC20 token approvals on suspicious addresses.
- Hackers accessed LottieFiles’ GitHub, releasing malicious updates that impacted sites using older Lottie Player versions.
1inch, a leading DeFi protocol, was recently hacked, and the attack affected its web dApp. Some users reported seeing pop-ups that looked quite shady and asked them to link their wallets. Blockaid, a blockchain security company, said that these prompts led users to the ‘Ace drainer’ page which pretended to be a standard wallet connection request. This attack involved exploiting a vulnerability in the Lottie Player animation library that is integration with many apps.
1inch admitted the breach, adding that only its web dApp was compromised. The mobile application and API services were not compromised during the period. However, the team did not reveal the magnitude of the losses to the users but promised to compensate anyone who was an affected user. They also advised users to remove approve for ERC20 tokens to the addresses that are somehow suspicious. Therefore, the 1inch developers are enhancing dependency management to avoid similar attacks in the future.
1inch Supply Chain Attack
The breach was a part of a larger supply chain attack on the Lottie Player animation library that is used by many firms like Apple, Spotify and Disney for better web animations. According to Cybersecurity expert Gal Nagli, the hackers were able to penetrate the GitHub account of a senior engineer at LottieFiles; the company that developed Lottie Player.
They exploited this access and released three malicious updates in three hours. These updates brought a new malware in form of a popup to websites that incorporated the affected library, which adversely affected many users. While web3 companies were the main focus of the attack, other websites with the old version of Lottie Player can also be vulnerable, as per Nagli.
The libraries that have been affected have since been pulled out from the GitHub and people are advised to download the versions that are not vulnerable. In a X post , cybersecurity firm Scam Sniffer reported that one 1inch user lost 10 BTC which is equivalent to approximately $723,436 after signing a fake transaction related to the attack.
Ongoing Security Risks
This is another incident that happened only a day after Blockaid reported on October 17 that malicious code had been directed at Ambient Finance, a decentralized exchange. That attack was done using the Inferno Drainer toolkit. However, DeFi platforms are not immune to the attacks from wallet-drainers even with the better measures in place.
Crypto security firms, including Scam Sniffer, have shared several instances where the wallet was emptied. Some of the recent measures like SEAL 911 have also been placed in an effort to.databased control of attacks. Some recent measures that have been enhanced include SEAL 911 that has helped to minimize some of the attacks. Nevertheless, this event is proof of the persistent threat of vulnerabilities in the web3 ecosystem. The continued strong supply chain security is still important in the protection of users and their assets.