KEY TAKEAWAYS
- A supply chain attack targeted the DeFi platform 1inch, exploiting a compromised third-party library to pose risks to users.
- 1inch quickly identified and neutralized the threat, ensuring their core protocols and wallet remained secure.
- The incident highlights the importance of vigilance in managing external software dependencies within the DeFi ecosystem.
- 1inch advises using tools like Revoke.cash to audit wallet permissions and emphasizes the need for human review in dependency management.
A recent supply chain attack in the decentralized finance (DeFi) space targeted both developers and users, highlighting vulnerabilities in widely used software libraries. The incident involved 1inch, a prominent DeFi platform, and a compromised third-party UI animations library, @lottiefiles/lottie-player. This breach posed significant risks to applications and wallets interacting with the library.
On October 30, 1inch identified the security incident at 2:31 PM PDT and took immediate action to neutralize the threat, resolving the issue by 3:22 PM PDT. Importantly, 1inch’s core protocols, wallet, and API remained unaffected. The attack was limited to the 1inch decentralized application (dApp).
Understanding the Attack and Response
The attacker exploited compromised secrets from a contributor to the @lottiefiles/lottie-player library, injecting malicious code into its updates. This code enabled a deceptive popup requesting wallet connections, while malicious operations occurred in the background. Once a wallet was connected, the attacker selectively requested permissions to transfer tokens, leading to potential unauthorized access to user funds.
The 1inch team, alerted by @pcaversaccio, swiftly identified the compromised library. They rolled back to a verified safe version, removing the malicious code from the 1inch dApp. The attacker’s drainer account was also identified, aiding in assessing the extent of the losses.
Lessons and Precautions for the DeFi Community
This incident underscores the risks associated with external software dependencies in the DeFi ecosystem. Developers and users are advised to be cautious with permission requests and to verify the source of such requests. Tools like Pocket Universe and Wallet Guard can help identify potential risks before confirming transactions.
1inch recommends using services like Revoke.cash to audit wallet permissions and regularly check for unnecessary or suspicious approvals. Explicitly declaring dependency versions and auditing updates before integration can prevent similar attacks. Dependency management tools like npm audit or yarn audit are useful, but human review remains essential.
The attack on @lottiefiles/lottie-player serves as a reminder of the importance of vigilance in third-party dependency management. 1inch continues to enhance its security practices to mitigate future risks. For further details, the full post-mortem can be read here.
Disclaimer: The views expressed in this article are those of the authors and do not necessarily reflect the official policy of CoinsHolder. Content, including that generated with the help of AI, is for informational purposes only and is not intended as legal, financial, or professional advice. Readers should do their research before taking any actions related to the company and carry full responsibility for their decisions.
