On October 30, users of the decentralized 1inch app fell victim to a malicious request to connect and sign their wallet, allowing attackers to access their assets. The 1inch team confirmed the incident, clarifying that only the 1inch dapp was affected, while the 1inch Wallet, API, and protocols remained secure.
The developers guaranteed the return of stolen funds and advised affected users to use Revoke.cash to withdraw ERC-20 approvals from malicious addresses to prevent further access to their assets. Exact figures on the number of affected users and the total stolen amount have not yet been disclosed.
The breach was caused by a supply chain compromise of the popular Lottie Player library, used for user interface animations. According to experts, the attack targeted major crypto projects and enabled the automatic replacement of addresses in Web3 wallet connection pop-ups on legitimate sites. Hackers gained access to one of the maintainer’s tokens, allowing them to inject malicious code into several versions of the NPM package manager.
As of the time of publication, the issue has been resolved, and infected packages have been removed from NPM and CDNs. However, all sites using the vulnerable library are strongly advised to update to secure versions.
