{"id":21834,"date":"2025-03-07T16:25:54","date_gmt":"2025-03-07T14:25:54","guid":{"rendered":"https:\/\/forklog.com\/en\/outdated-1inch-smart-contract-vulnerability-leads-to-5-million-loss-hacker-returns-assets\/"},"modified":"2025-03-07T16:25:54","modified_gmt":"2025-03-07T14:25:54","slug":"outdated-1inch-smart-contract-vulnerability-leads-to-5-million-loss-hacker-returns-assets","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/outdated-1inch-smart-contract-vulnerability-leads-to-5-million-loss-hacker-returns-assets\/","title":{"rendered":"Outdated 1inch Smart Contract Vulnerability Leads to $5 Million Loss, Hacker Returns Assets"},"content":{"rendered":"<p>On March 5, the 1inch team identified a vulnerability in the outdated Fusion v1 smart contract. The flaw resulted in losses of 2.4 million USDT and 1276 wETH (~$2.7 million), according to the company <a href=\"https:\/\/twitter.com\/SlowMist_Team\/status\/1897958914114879656\" title=\"\">SlowMist<\/a>.<\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">March 10, 2025 | 13:48<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p id=\"block-d1b5cc4f-f75c-4654-b73a-6632a6d509e3\">In comments to ForkLog, 1inch lawyers clarified that the attack targeted specific resolvers (market makers) using the old smart contract, not the platform itself. The incident did not affect the aggregator&#8217;s funds or its users.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p id=\"block-d1b5cc4f-f75c-4654-b73a-6632a6d509e3\">\u201cThe vulnerability is linked to the outdated 1inch Settlement v1 contract, which is no longer relevant or in use. The threat was to resolvers that continued using the old contract without proper security measures,\u201d 1inch representatives noted.<\/p>\n<\/blockquote>\n<\/div>\n<p>Analysts recorded suspicious transactions related to the platform on the same day.<\/p>\n<p>1inch representatives stated that end-user funds were not affected. The incident only impacted parsers using Fusion v1.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We\u2019re actively working with affected resolvers to secure their systems.We urge all resolvers to audit and update their contracts immediately. For more details and bug bounty info (inc. funds return), visit: <a href=\"https:\/\/t.co\/obLdWF2c6W\">https:\/\/t.co\/obLdWF2c6W<\/a><\/p>\n<p>\u2014 1inch (@1inch) <a href=\"https:\/\/twitter.com\/1inch\/status\/1897695349818487002?ref_src=twsrc%5Etfw\">March 6, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cWe are actively collaborating with affected parties to secure their systems. We urge all developers to urgently review and update their contracts,\u201d the warning stated.<\/em><\/p>\n<\/blockquote>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">March 7, 2025 | 20:35<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>The auditor Decurity released an <a href=\"https:\/\/blog.decurity.io\/yul-calldata-corruption-1inch-postmortem-a7ea7a53bfd9\">analysis of the incident<\/a>, describing it as \u201cone of the most complex attacks on DeFi.\u201d<\/p>\n<p>According to the report, the old version of 1inch Settlement had a callback option for executing all matching orders.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe callback function was supposed to be called only when the order was executed by the resolver&#8217;s contract itself. However, due to an error in handling function arguments when parsing the order suffix, it was possible to overwrite the resolver contract address and make a call to any of them. This led to losses for the market maker TrustedVolumes,\u201d experts explained.\u00a0<\/p>\n<\/blockquote>\n<p>On March 5, the hacker requested a reward from the victim and agreed to a <a href=\"https:\/\/etherscan.io\/idm?addresses=0xbbb587e59251d219a7a05ce989ec1969c01522c0,0x1ef9bfb1e7480c01d3d00e9bca5f29625c6c4806&#038;type=1\">$450,000 payout<\/a> as a bounty. The remaining amount was <a href=\"https:\/\/etherscan.io\/tokentxns?a=0xbbb587e59251d219a7a05ce989ec1969c01522c0\">returned<\/a> to the market maker.<\/p>\n<\/div>\n<p>Back in February, the industry lost $1.53 billion, <a href=\"https:\/\/forklog.com\/en\/news\/immunefi-reports-february-crypto-losses-of-1-53-billion-due-to-bybit-hack\">reported<\/a> by Immunefi experts. This was linked to the <a href=\"https:\/\/forklog.com\/en\/news\/bybit-exchange-suffers-1-46-billion-loss-in-hack\">Bybit exchange hack<\/a> of nearly $1.5 billion.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On March 5, the 1inch team identified a vulnerability in the outdated Fusion v1 smart contract. The flaw resulted in losses of 2.4 million USDT and 1276 wETH (~$2.7 million), according to the company SlowMist. March 10, 2025 | 13:48Update: In comments to ForkLog, 1inch lawyers clarified that the attack targeted specific resolvers (market makers) [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":21833,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1487,1301],"class_list":["post-21834","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-1inch","tag-blockchain-vulnerabilities"],"aioseo_notices":[],"amp_enabled":true,"views":"67","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=21834"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21834\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/21833"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=21834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=21834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=21834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}