1inch, a decentralized exchange aggregator, experienced a security breach after attackers injected malicious code into an animation library update. This incident prompted users to connect their wallets to a crypto drainer.

Incident Details

On Oct. 30, 1inch users encountered unexpected malicious popups urging them to connect their wallets. These prompts were embedded through compromised code in the popular Lottie Player animation library. The code redirected users to “Ace drainer,” which was disguised as a standard wallet connection request, according to web3 security firm Blockaid.

In its post-incident report, 1inch noted that only its web dApp was affected. All other platforms, including its mobile app and API services, remained unaffected. While the team did not disclose the extent of the losses, they hinted that some users might have been affected and assured that any losses would be refunded.

The developers have urged users to revoke ERC20 approvals from malicious addresses and mentioned that they are strengthening dependency management for enhanced security.

Background on the Attack

According to cybersecurity researcher Gal Nagli, the breach stemmed from a large-scale supply chain attack on the Lottie Player animation library. Lottie Player, widely used for web animations, is utilized by major companies like Apple, Spotify, and Disney for creating engaging user interfaces.

The attackers initially breached the GitHub account of a senior software engineer at LottieFiles, the publisher of the Lottie Player library. Using this access, the attackers pushed three malicious updates within a span of three hours. These updates contained code that injected a malicious popup into websites using the library.

While the attack was originally targeted towards web3 firms, Nagli warned that other websites using the affected library versions remain vulnerable. At press time, the affected libraries had been removed from GitHub, and users were asked to upgrade to the latest version.

Consequences and Warnings

In an Oct. 31 post, cybersecurity firm Scam Sniffer noted that at least one victim lost 10 BTC, worth roughly $723,436 at the time, after signing a phishing transaction. This theft is likely related to the supply chain attack on Lottie Player earlier that day.

3 hours ago, a victim lost 10 BTC ($723,436) due to signing a phishing transaction. This theft is likely related to the supply chain attack on Lottie Player earlier today.

The Complex Nature of Crypto Scams

On Oct. 17, Blockaid reported another attack where attackers pushed malicious code to compromise Ambient Finance, a decentralized exchange. In that instance, attackers were reportedly using the Inferno Drainer kit.

In January, ScamSniffer flagged a phishing attack that exploited operation codes used in the scripting languages of various cryptocurrency platforms to drain $4.2 million worth of aEthWETH and aEthUNI.

Last year, the security firm reported a wallet drainer employing a malicious script to target over 10,000 websites and steal crypto assets.

Over the years, several wallet drainers have shut down due to security advancements in the crypto space and the establishment of initiatives like SEAL 911. However, attackers continue to find new ways to evade these defenses.

Stay updated on the latest cryptocurrency news and secure your assets by following reliable sources and practicing good security hygiene in the crypto space.

#BlockchainNews #CryptoInvestor