1inch

Note: The initial proposal was missing the necessary onchain transaction payload. Detailed explanation here.

---

Author: 1inch Foundation

---

Simple Summary

Authorize transfer of $768,026 USDC from DAO treasury to designated 1inch Foundation address for reimbursing verified users affected by the October 30th supply chain attack.

Abstract

On October 30, 2024, between 9:12 PM and 11:22 PM (CET), the 1inch dApp was compromised through a supply chain attack targeting the Lottie Player library. This security breach allowed attackers to replace the aggregation function with malicious code, resulting in approximately $768,026 of user token losses. This proposal authorizes the DAO to reimburse affected users through the 1inch Foundation’s distribution infrastructure.

Motivation

The DAO Guidelines explicitly task the DAO with assessing and administering strategic decisions to ensure the security of both the 1inch Network and its Interface. Section 4.3.2 grants the DAO authority to direct the Foundation in implementing operations that secure network interests.

A comprehensive reimbursement maintains user trust, demonstrates ecosystem resilience, and aligns with the DAO’s commitment to community protection. The Foundation’s established compliance framework provides an effective channel for user compensation while addressing regulatory requirements.

Specification

The reimbursement consists of a single transfer of $768,026 USDC from the DAO treasury to the Foundation’s address: 0x7D2aAE4F4A474e6c040f2E6678B9Ef1FA628C316. This amount represents the USD value of affected tokens at the time of the exploit.

The Foundation will manage all aspects of the compensation process:

1. Victim Verification Requirements:

   • Verifiable proof of funds lost (transaction hashes)

   • Filing of law enforcement reports

   • Completion of KYC compliance procedures

   • Signing of compensation agreement

2. Compensation Terms:

   • USD equivalent value at time of incident

   • Victims waive rights to any funds recovered through law enforcement

   • Any recovered funds will be returned to the DAO

Rationale

The ongoing criminal investigation involves the Royal Cayman Islands Police Service, blockchain investigation agencies (ZeroShadow, TRM Labs), and potential collaborations with Token Recover and Crystal Intelligence. Utilizing the Foundation’s established legal and compliance infrastructure creates the most efficient execution framework while maintaining necessary safeguards.

Considerations

Security

The exploit stemmed from an automatic update to a third-party UI library which introduced a vulnerability that compromised the Interface’s front-end. The Foundation has implemented enhanced dependency management procedures to prevent similar incidents.

Implementation

Post-approval, funds will transfer to the Foundation, which assumes responsibility for all compliance procedures, victim verification, and distribution. The Foundation commits to providing regular status updates and a final compensation report.

If any stolen funds are recovered through law enforcement, exchanges, or other means, the Foundation will return these funds to the DAO treasury, maintaining the integrity of the compensation process.