QI Quadriga Initiative

Oct 2024 - 1Inch Exchange DApp Lottie Player Supply Chain Attack - $723k (Global)

"One-stop access to decentralized finance" "Optimize your trades across hundreds of DEXes on multiple networks" "A tool for swapping tokens across any network and placing on-chain limit orders securely, at the best rate." "The most powerful mobile app for managing your assets and exploring Web3." "A cutting-edge tracking tool offering accurate, detailed and well-organized crypto portfolio information."

"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."

"A Lottie Player compromise caused a malicious signature request on the 1inch dApp. 1inch smart contracts, Wallet, and APIs were unaffected."

"On Oct 30, 9:12 PM - 11:22 PM CET, 1inch dApp users may have encountered a malicious wallet connect and signature request.

This signature allows an attacker to drain user's funds.

Only the 1inch web dApp was affected; the 1inch Wallet, API, and protocols were never compromised."

Further Analysis

Lottie Player is a common animation framework, widely used across dozens of top websites including big name well known brands. On October 30th, 2024, an upgrade to the plug-in was implemented on 1Inch, a widely used decentralized exchange. This upgrade prompted users for additional approvals, and some users granted these approvals. The approvals granted infinite permissions on their wallets and allowed a malicious actor to make off with their funds. One user lost 10 bitcoin. 1Inch has suggested that losses would be eligible for refunds and encouraged users to reach out to them.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

M2 Exchange Access Control Vulnerability > > < < Sunray Finance Malicious Upgrade And Token Minting

Sources/Further Reading

@realScamSniffer Twitter (Dec 31)
@realScamSniffer Twitter (Dec 31)
Avalanche C-Chain Transaction Hash (Txhash) Details | SnowScan (Dec 31)
GitHub - LottieFiles/lottie-player: Lottie viewer/player as an easy to use web component! https://lottiefiles.com/web-player (Dec 31)
Lottie Web Player - LottieFiles (Dec 31)
1inch Network | Leading high capital efficient DeFi protocols (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.