What is the Coinspect dApp Observatory?

The Coinspect dApp Observatory maps third-party JavaScript dependencies loaded from external domains in Web3 dApp frontends to uncover supply chain security risks.

What are third-party dependencies?

These are JavaScript libraries loaded from external servers (not hosted on the dApp's domain), often via CDNs, to provide additional features such as analytics tools or UI components used by the dApp.

What are the risks associated with these dependencies?

They can change upstream without notice; a compromised dependency can inject crypto wallet drainers that empty wallets.

What web security settings can reduce the risk?

SRI and CSP help, but they aren't always applicable. We've also observed that most dApps load scripts without implementing these protections.

How were the dApps selected for this analysis?

We scanned all projects listed by DeFiLlama as of October 1, 2025, including their main domains and relevant subdomains associated with the application frontends.

How the third party dependencies were identified?

We logged all JavaScript executed in the browser and flagged any script served from a domain outside the dApp’s own infrastructure as a third-party dependency.

Has this type of attack been exploited in the past?

Yes, there have been instances, such as the Ledger Connect Kit supply chain attack and the recent compromise of the lottie-player library affecting 1inch dApp.

Why isn't my dApp listed?

Our scan on October 1, 2025 covered all projects indexed by DeFiLlama at that time. If your site doesn’t load JavaScript from external domains, or wasn’t part of DeFiLlama’s dataset when we ran the scan, it won’t appear by default.

dApp Observatory

We analyze dApp frontends to identify supply chain risks and Web2 security weaknesses.

About dApp Observatory

Coinspect dApp Observatory evaluates security risks in Web3 dApp frontends by analyzing their reliance on third-party JavaScript libraries loaded from external domains. These dependencies exposes dApps to supply chain attacks, where compromised scripts can inject malicious code—like wallet drainers—directly into the user interface. This broadens dApp security to include risks that directly impact users beyond smart contracts.

FAQ

What is the Coinspect dApp Observatory?

The Coinspect dApp Observatory maps third-party JavaScript dependencies loaded from external domains in Web3 dApp frontends to uncover supply chain security risks.
What are third-party dependencies?

These are JavaScript libraries loaded from external servers (not hosted on the dApp’s domain), often via CDNs, to provide additional features such as analytics tools or UI components used by the dApp.
What are the risks associated with these dependencies?

They can change upstream without notice; a compromised dependency can inject crypto wallet drainers that empty wallets.
What web security settings can reduce the risk?

SRI and CSP help, but they aren’t always applicable. We’ve also observed that most dApps load scripts without implementing these protections.
How were the dApps selected for this analysis?

We scanned all projects listed by DeFiLlama as of October 1, 2025, including their main domains and relevant subdomains associated with the application frontends.
How the third party dependencies were identified?

We logged all JavaScript executed in the browser and flagged any script served from a domain outside the dApp’s own infrastructure as a third-party dependency.
Has this type of attack been exploited in the past?

Yes, there have been instances, such as the Ledger Connect Kit supply chain attack and the recent compromise of the lottie-player library affecting 1inch dApp.
Why isn't my dApp listed?

Our scan on October 1, 2025 covered all projects indexed by DeFiLlama at that time. If your site doesn’t load JavaScript from external domains, or wasn’t part of DeFiLlama’s dataset when we ran the scan, it won’t appear by default.

This observatory is for informational purposes only and should not be relied upon for legal, tax, financial, investment, or other advice. Coinspect does not guarantee the accuracy, completeness, timeliness, suitability, or validity of the information provided and assumes no responsibility for any claims arising from errors, omissions, or inaccuracies. While we have made every effort to include relevant data, some information may have been missed or excluded from this analysis.