1inch web app compromised, losses to be reimbursed

1inch, a decentralized exchange aggregator, was compromised after attackers injected malicious code into an animation library update and prompted users to link their wallets to a crypto sucker.

On October 30, 1inch users encountered malicious pop-ups that appeared unexpectedly and asked them to link their wallets. According to Web3 security firm Blockaid, these prompts, embedded via compromised code in the popular Lottie Player animation library, redirected users to “Ace Drainer” disguised as a standard wallet connection request.

In its post-incident report, 1inch stated that only its web dApp was affected and all other platforms, including its mobile app and API services, were unaffected. The team hinted that some users may have been affected, without disclosing the extent of the losses, but assured that the losses would be refunded.

The developers urged users to “revoke ERC20 assertions from malicious addresses,” adding that they “strengthen dependency management for enhanced security.”

What happened?

According to cybersecurity researcher Gal Nagli, the breach resulted from a large-scale supply chain attack on the Lottie Player animation library.

Widely used for web animations, Lottie Player is used by major companies such as Apple, Spotify and Disney to create engaging user interfaces.

Attackers first breached the GitHub account of a senior software engineer at LottieFiles, the publisher of the Lottie Player library. Using this access, the attackers released three malicious updates within three hours. These updates contained code that placed a malicious pop-up window on websites that used the library.

Although the attack initially targeted web3 companies, Nagli warned that other websites using affected library versions remained vulnerable.

At the time of writing, the affected libraries have been removed from GitHub and users have been asked to upgrade to the latest version.

Cybersecurity firm Scam Sniffer noted in an Oct. 31 post that at least one victim lost 10 BTC, worth approximately $723,436 at the time, after signing a phishing transaction.

The complex nature of crypto scams

On October 17, Blockaid reported another attack in which attackers used malicious code to compromise Ambient Finance, a decentralized exchange. In this case, the attackers reportedly used the Inferno Drainer kit.

In January, ScamSniffer flagged a phishing attack that leveraged transaction codes used in scripting languages ​​of various cryptocurrency platforms to dump $4.2 million worth of aEthWETH and aEthUNI.

Last year, the security firm reported that a wallet sucker used a malicious script to target more than 10,000 websites and steal crypto assets.

Over the years, several wallet-draining devices have shut down due to security advancements in the crypto space and the establishment of initiatives such as SEAL 911. But attackers continue to find new ways to evade these defenses.