On March 5, the 1inch team identified a vulnerability in the outdated Fusion v1 smart contract. The flaw resulted in losses of 2.4 million USDT and 1276 wETH (~$2.7 million), according to the company SlowMist.
In comments to ForkLog, 1inch lawyers clarified that the attack targeted specific resolvers (market makers) using the old smart contract, not the platform itself. The incident did not affect the aggregator’s funds or its users.
“The vulnerability is linked to the outdated 1inch Settlement v1 contract, which is no longer relevant or in use. The threat was to resolvers that continued using the old contract without proper security measures,” 1inch representatives noted.
Analysts recorded suspicious transactions related to the platform on the same day.
1inch representatives stated that end-user funds were not affected. The incident only impacted parsers using Fusion v1.
We’re actively working with affected resolvers to secure their systems.We urge all resolvers to audit and update their contracts immediately. For more details and bug bounty info (inc. funds return), visit: https://t.co/obLdWF2c6W
— 1inch (@1inch) March 6, 2025
“We are actively collaborating with affected parties to secure their systems. We urge all developers to urgently review and update their contracts,” the warning stated.
The auditor Decurity released an analysis of the incident, describing it as “one of the most complex attacks on DeFi.”
According to the report, the old version of 1inch Settlement had a callback option for executing all matching orders.
“The callback function was supposed to be called only when the order was executed by the resolver’s contract itself. However, due to an error in handling function arguments when parsing the order suffix, it was possible to overwrite the resolver contract address and make a call to any of them. This led to losses for the market maker TrustedVolumes,” experts explained.
On March 5, the hacker requested a reward from the victim and agreed to a $450,000 payout as a bounty. The remaining amount was returned to the market maker.
Back in February, the industry lost $1.53 billion, reported by Immunefi experts. This was linked to the Bybit exchange hack of nearly $1.5 billion.