1inch, a decentralized exchange aggregator, was compromised after attackers injected malicious code into an animation library update, prompting users to connect their wallets to a crypto drainer.

On Oct. 30, 1inch users encountered malicious popups that appeared unexpectedly, urging them to connect their wallets. These prompts, embedded through compromised code in the popular Lottie Player animation library, redirected users to “Ace drainer” disguised as a standard wallet connection request, according to web3 security firm Blockaid.

In its post-incident report, 1inch noted that only its web dApp was affected, and all other platforms, including its mobile app and API services, remained unaffected. Without disclosing the extent of losses, the team hinted that some users may have been affected, but assured that losses would be refunded.

The developers have urged users to “revoke ERC20 approvals from malicious addresses” adding that they are “strengthening dependency management for enhanced security.”

What happened?

According to cybersecurity researcher Gal Nagli, the breach stemmed from a large-scale supply chain attack on the Lottie Player animation library.

Lottie Player, widely used for web animations, is used by major companies like Apple, Spotify, and Disney for creating engaging user interfaces.

The attackers initially breached the GitHub account of a senior software engineer at LottieFiles, the publisher of the Lottie Player library. Using this access, the attackers pushed three malicious updates within a span of three hours. These updates contained code that injected a malicious popup into websites using the library.

While the attack, according to Nagli, was originally targeted towards web3 firms, he warned that other websites using the affected library versions remain vulnerable. 

At press time, the affected libraries had been removed from GitHub, and users had been asked to upgrade to the latest version.

In an Oct. 31 X post, Cybersecurity firm Scam Sniffer noted that at least one victim had lost 10 BTC, worth roughly $723,436 at the time, after signing a phishing transaction.

The complex nature of crypto scams

On Oct. 17, Blockaid reported another attack where attackers pushed malicious code to compromise Ambient Finance, a decentralized exchange. In that instance, attackers were reportedly using the Inferno Drainer kit.

In January, ScamSniffer flagged a phishing attack that exploited operation codes used in the scripting languages of various cryptocurrency platforms to drain $4.2 million worth of aEthWETH and aEthUNI.

Last year, the security firm reported a wallet drainer employing a malicious script to target over 10,000 websites and steal crypto assets.

Over the years several wallet drainers have shut down due to security advancements in the crypto space and the establishment of initiatives like SEAL 911. However, attackers continue to find new ways to evade these defenses.

Related Posts