What is the Coinspect dApp Observatory?

The Coinspect dApp Observatory maps third-party JavaScript dependencies loaded from external domains in Web3 dApp frontends to uncover supply chain security risks.

What are third-party dependencies?

These are JavaScript libraries loaded from external servers (not hosted on the dApp's domain), often via CDNs, to provide additional features such as analytics tools or UI components used by the dApp.

What are the risks associated with these dependencies?

External dependencies are beyond the dApp's control, increasing the risk of harmful code injection that could compromise users' wallets.

What web security settings can reduce the risk?

SRI and CSP help, but they aren't always applicable. We've also observed that most dApps load scripts without implementing these protections.

How were the dApps selected for this analysis?

The dApps were selected based on the top 1,000 ranked by Total Value Locked (TVL) on DeFiLlama as of July 2024.

Why were subdomains of the dApp also considered?

We included subdomains because they can serve as attack vectors, especially since users are more likely to trust and interact with them as part of a known parent domain.

How the third party dependencies were identified?

We identified the dependencies by scanning dApp frontends, checking all JavaScript loaded from external domains, and tracking Web2 security settings.

Has this type of attack been exploited in the past?

Yes, there have been instances, such as the Ledger Connect Kit supply chain attack and the recent compromise of the lottie-player library affecting 1inch dApp.

Why isn't my dApp listed?

If your dApp isn't listed, it's likely because it does not use third-party JavaScript dependencies hosted on external domains or it was not included in the top 1,000 dApps ranked by Total Value Locked (TVL) on DeFiLlama as of July 2024.

dApp Observatory

We analyze dApp frontends to identify supply chain risks and Web2 security weaknesses.

About dApp Observatory

Coinspect dApp Observatory evaluates security risks in Web3 dApp frontends by analyzing their reliance on third-party JavaScript libraries loaded from external domains. This dependency exposes dApps to supply chain attacks, where compromised scripts can inject malicious code—like wallet drainers—directly into the user interface. This broadens dApp security to include risks that directly impact users beyond smart contracts.

FAQ

What is the Coinspect dApp Observatory?

The Coinspect dApp Observatory maps third-party JavaScript dependencies loaded from external domains in Web3 dApp frontends to uncover supply chain security risks.
What are third-party dependencies?

These are JavaScript libraries loaded from external servers (not hosted on the dApp’s domain), often via CDNs, to provide additional features such as analytics tools or UI components used by the dApp.
What are the risks associated with these dependencies?

External dependencies are beyond the dApp’s control, increasing the risk of harmful code injection that could compromise users’ wallets.
What web security settings can reduce the risk?

SRI and CSP help, but they aren’t always applicable. We’ve also observed that most dApps load scripts without implementing these protections.
How were the dApps selected for this analysis?

The dApps were selected based on the top 1,000 ranked by Total Value Locked (TVL) on DeFiLlama as of July 2024.
Why were subdomains of the dApp also considered?

We included subdomains because they can serve as attack vectors, especially since users are more likely to trust and interact with them as part of a known parent domain.
How the third party dependencies were identified?

We identified the dependencies by scanning dApp frontends, checking all JavaScript loaded from external domains, and tracking Web2 security settings.
Has this type of attack been exploited in the past?

Yes, there have been instances, such as the Ledger Connect Kit supply chain attack and the recent compromise of the lottie-player library affecting 1inch dApp.
Why isn't my dApp listed?

If your dApp isn’t listed, it’s likely because it does not use third-party JavaScript dependencies hosted on external domains or it was not included in the top 1,000 dApps ranked by Total Value Locked (TVL) on DeFiLlama as of July 2024.

This observatory is for informational purposes only and should not be relied upon for legal, tax, financial, investment, or other advice. Coinspect does not guarantee the accuracy, completeness, timeliness, suitability, or validity of the information provided and assumes no responsibility for any claims arising from errors, omissions, or inaccuracies. While we have made every effort to include relevant data, some information may have been missed or excluded from this analysis.