Attackers injected malicious code into this popular animation library, directing users to link their wallets and gain access to their accounts through a drainer that attempted to drain their crypto assets.

On October 30, 1inch users suddenly encountered malicious pop-ups asking them to link their wallets. According to analysis by Web3 security company Blockaid, these pop-ups were deployed via compromised code in the Lottie Player animation library.

In this way, users were directed to malware called “Ace drainer”, which appeared to be a standard wallet link.

In the report published after the incident, 1inch stated that the attack only affected the web dApp, and that mobile application and API services were not damaged by this attack. Although the 1inch team did not disclose the full extent of the losses caused by the attack, they announced that some users were victims and that the damages would be refunded.

Additionally, the developers stated that users should revoke ERC20 permissions from malicious addresses and added that they have strengthened their dependency management to increase security.

According to cybersecurity researcher Gal Nagli, the source of the attack was a large-scale supply chain attack on the popular Lottie Player animation library.

Lottie Player, which is also used by big brands such as Apple, Spotify and Disney, is a widely preferred library for web animations. However, this incident showed that it is critical to ensure the security of such widely used libraries.

The attackers first took over the GitHub account of a senior software engineer at LottieFiles, the publisher of the Lottie Player library. Using this access, they released three malicious updates in just three hours.

These updates contained code that inserted malicious pop-ups into websites using the Lottie Player library. While Nagli stated that this attack specifically targets web3 companies, he stated that other websites using affected library versions may also be at risk.

As of now, malicious libraries have been removed from GitHub and users are warned to upgrade to the latest version.

Cybersecurity company Scam Sniffer stated in a statement on the X platform on October 31 that at least one user who signed the phishing transaction lost 10 BTC (approximately $723,436).

Additionally, Blockaid reported that in another attack on October 17, attackers used malicious code to compromise decentralized exchange Ambient Finance. It was stated that in this attack, the attackers used the Inferno Drainer kit.

In January, ScamSniffer reported a phishing attack targeting transaction codes used in scripting languages ​​of various crypto platforms, resulting in the theft of approximately $4.2 million worth of aEthWETH and aEthUNI tokens.

Last year, the same security firm reported another wallet drain attack that targeted over 10,000 websites and used a malicious script to steal crypto assets.

While many wallet drain tools have been neutralized over the years thanks to security advancements in the crypto space and initiatives like SEAL 911, attackers continue to develop new methods to evade these defenses.

This incident once again demonstrated that the security of third-party libraries used to ensure security in the world of decentralized finance and crypto should be strictly monitored. 1inch has promised to protect against such attacks by increasing security measures.