On October 30, users of the decentralized application 1inch encountered a malicious request to connect and sign their wallets, enabling attackers to steal assets. Representatives of the project confirmed the incident.
On Oct 30, 9:12 PM — 11:22 PM CET, 1inch dApp users may have encountered a malicious wallet connect and signature request.
This signature allows an attacker to drain user’s funds.
Only the 1inch web dApp was affected; the 1inch Wallet, API, and protocols were never compromised.
— 1inch (@1inch) October 31, 2024
According to them, only the 1inch dApp was affected—the 1inch Wallet, API, and protocols remained uncompromised. The team has guaranteed the return of stolen funds.
All affected users are advised to revoke ERC-20 approvals from malicious addresses using the Revoke.cash tool to prevent further access.
The number of affected users and the amount of stolen funds have not been disclosed.
The breach was caused by a supply chain attack on the popular user interface animation library Lottie Player. The ultimate targets were the websites of major cryptocurrency projects.
Cybersecurity experts noted that the compromise led to the automatic replacement of data in Web3 wallet connection pop-ups on legitimate sites with the attackers’ address.
TLDR: Massive Supply Chain attack had been happening on the highly popular JS Library lottie-player since ~2 hours ago that populates attackers Web3 wallet connection pop-up on legitimate websites.
I’ll write here what we know, what can be done and how to detect it in the wild.… pic.twitter.com/aX4DIj7Olp
— Nagli (@galnagli) October 31, 2024
Preliminary investigation findings suggest hackers compromised the account token of one of the maintainers, allowing them to inject malicious code into approximately three versions of the NPM package manager.
At the time of writing, the issue has been resolved, and the original infected package has been removed from NPM and most leading CDN. However, sites using the vulnerable library must update to secure versions.
Earlier, cryptocurrency payment provider Transak confirmed partial third-party access to user data. The company claims that financially sensitive or critically important information was not compromised.