This Week's Security News: M2 Exchange’s $13.7M Breach, $720,000 Stolen at 1inch in Supply Chain Attack

This Week's Security News: M2 Exchange’s $13.7M Breach, $720,000 Stolen at 1inch in Supply Chain Attack

Lottie Player Supply Chain Attack Caused $720,000 Stolen

A supply chain attack on the popular animation library Lottie Player compromised the security of several Web3 projects, including the 1inch and Movement dApps. The malicious code, embedded in version 2.0.5 of lottiefiles/lottie-player, prompted unauthorized wallet connection and signature requests for 1inch dApp users. Signing these requests enabled attackers to gain access to users' funds.

With the case of 1inch only the web dApp was affected by the attack; the 1inch Wallet, API, and core protocols remained secure. Following the breach, the 1inch team quickly removed the malicious version and restored security. Despite the swift response, at least one user reported losing 10 BTC (valued at $723,436) due to signing a phishing transaction, which is believed to be related to this supply chain attack.

  • Dedaub launches "Security Suite", providing Ethereum-compatible decompilation, monitoring, verification, and transaction simulation for contract analysis and secure testing.
    • Web3Builder news is supported in part by Dedaub

SUNRAY FINANCE Suffers $2.855M Loss Due to Private Key Compromise

SUNRAY FINANCE recently experienced a major security breach as an attacker exploited a private key compromise, gaining control over $SUN and $ARC tokens. The attacker minted large quantities of these tokens and subsequently sold them, draining liquidity from the platform’s decentralized exchange pairs. This exploit resulted in a total loss of approximately $2.855 million.

M2 Exchange’s $13.7M Breach and Swift Recovery Raises Questions

M2 Exchange reported a $13.7 million breach caused by an access control vulnerability, allowing an attacker to drain assets across Ethereum, Bitcoin, and Solana chains. M2 claimed to have detected and resolved the issue within 16 minutes, but Hacken’s analysis later revealed that a significant portion of the funds remains in attacker-controlled wallets, casting doubt on the exchange’s recovery claim.

M2’s rapid response was unusually swift but vague, providing few technical details and raising skepticism among observers. Despite assurances of restored security, M2’s statement offered no specific insights into the exploit’s cause or preventive measures going forward. With the stolen assets still untouched in known wallets, questions remain about the completeness of M2’s resolution and the platform’s ongoing security.

Web Cache Vulnerabilities: Poisoning, Deception, and URL Parsing Risks

Modern web systems rely heavily on caching to improve speed and efficiency, using Content Delivery Networks (CDNs) like CloudFlare and Akamai to store and serve static content. However, discrepancies in URL parsing between caches and application servers create vulnerabilities that can be exploited to inject malicious content or access sensitive data.

Web cache poisoning occurs when attackers trick the cache into storing harmful data by manipulating the cache’s key generation process, while cache deception allows attackers to store private user data by manipulating cache rules. Attackers use URL delimiters, like semicolons or dots, differently across platforms (e.g., Nginx, Rails, Spring) to control what data is stored.

Exploiting these discrepancies, especially with improperly normalized URLs, lets attackers store unauthorized responses in caches. With crafted requests, they can even poison highly-visited endpoints, affecting numerous users.

Defending against these risks involves enforcing cache control headers aligning URL parsing behavior across CDNs and origin servers, and disabling inconsistent caching rules to prevent exploitation.

Like this content? Subscribe to stay up to date.

Subscribe to Web3Builder.news

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe