1Inch Exchange DApp Lottie Player Supply Chain Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:34, 6 December 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/1inchexchangedapplottieplayersupplychainattack.php}} {{Unattributed Sources}} thumb|1Inch Exchange Logo/HomepageLottie Player is a common animation framework, widely used across dozens of top websites including big name well known brands. On October 30th, 2024, an upgrade to the plug-in was implemented on 1Inch, a widely used decentralized exchange. This upgra...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

1Inch Exchange Logo/Homepage

Lottie Player is a common animation framework, widely used across dozens of top websites including big name well known brands. On October 30th, 2024, an upgrade to the plug-in was implemented on 1Inch, a widely used decentralized exchange. This upgrade prompted users for additional approvals, and some users granted these approvals. The approvals granted infinite permissions on their wallets and allowed a malicious actor to make off with their funds. One user lost 10 bitcoin. 1Inch has suggested that losses would be eligible for refunds and encouraged users to reach out to them.[1][2][3][4][5][6]

About 1Inch Exchange

"One-stop access to decentralized finance" "Optimize your trades across hundreds of DEXes on multiple networks" "A tool for swapping tokens across any network and placing on-chain limit orders securely, at the best rate." "The most powerful mobile app for managing your assets and exploring Web3." "A cutting-edge tracking tool offering accurate, detailed and well-organized crypto portfolio information."

"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."

About Lottie Player

"Bring engaging animations to any website. Get your beautiful animations into any web page, just by pasting in a snippet of code."

"A Lottie is a JSON-based animation file format that allows you to ship animations on any platform as easily as shipping static assets. They are small files that work on any device and can scale up or down without pixelation. LottieFiles lets you create, edit, test, collaborate on and ship a Lottie in the easiest way possible."

"Lottie is used by 280,000+ companies worldwide and in many of the tools you use every day."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"According to monitoring by Scam Sniffer, Lottie Player suffered a supply chain attack, impacting projects such as 1inch and Movement."

Key Event Timeline - 1Inch Exchange DApp Lottie Player Supply Chain Attack
Date Event Description
October 30th, 2024 2:12:00 PM MDT Official Start Of Phish The official start time of the phishing being published, according to 1Inch.
October 30th, 2024 3:59:58 PM MDT Attack Transaction The attacker manages to take 10 wrapped bitcoin (BTC.b) from a victim of their phishing attack who had provided infinite approvals to the smart contract.
October 30th, 2024 4:22:00 PM MDT Officieal End Of Phish The official end time of the phishing, according to 1Inch.
October 30th, 2024 6:21:00 PM MDT Scam Sniffer Tweet Scam Sniffer posts a tweet about the incident.
October 30th, 2024 6:34:00 PM MDT Removed Malicious Script According to Scam Sniffer, the malicious version of the script has now been removed.
October 30th, 2024 7:37:00 PM MDT Details on Attack Scam Sniffer provides details on one of the victims who was affected by this scam event "3 hours ago".
October 30th, 2024 9:43:00 PM MDT 1Inch Published Summary 1Inch published a summary of the exploit including the cause and effects which happened.

Technical Details

"A Lottie Player compromise caused a malicious signature request on the 1inch dApp. 1inch smart contracts, Wallet, and APIs were unaffected."

Total Amount Lost

The total amount lost has been estimated at $723,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"On Oct 30, 9:12 PM - 11:22 PM CET, 1inch dApp users may have encountered a malicious wallet connect and signature request.

This signature allows an attacker to drain user's funds.

Only the 1inch web dApp was affected; the 1inch Wallet, API, and protocols were never compromised."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered has been estimated at $723,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @realScamSniffer Twitter (Accessed Dec 5, 2024)
  2. @realScamSniffer Twitter (Accessed Dec 6, 2024)
  3. Avalanche C-Chain Transaction Hash (Txhash) Details | SnowScan (Accessed Dec 6, 2024)
  4. GitHub - LottieFiles/lottie-player: Lottie viewer/player as an easy to use web component! https://lottiefiles.com/web-player (Accessed Dec 6, 2024)
  5. Lottie Web Player - LottieFiles (Accessed Dec 6, 2024)
  6. 1inch Network | Leading high capital efficient DeFi protocols (Accessed Jul 19, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=1Inch_Exchange_DApp_Lottie_Player_Supply_Chain_Attack&oldid=6387"