$5M Exploit Hits Resolvers Using Outdated 1inch Contracts

The vulnerability stemmed from the deprecated 1inch Settlement v1 contract, which had already been phased out. However, some resolvers continued using it without additional security measures.

1inch detected the vulnerability on March 5 and publicly disclosed the problem in a March 6 post on X.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Crypto Research Fundamentals: How to DYOR (Animated Explainer)

SUBSCRIBE

ON YOUTUBE

By March 7, SlowMist, a blockchain security firm, confirmed in a post on X, "According to our analysis, this incident resulted in a loss of 2.4 million USD Coin USDC $1.00 and 1276 Wrapped Ethereum WETH $1,467.04 , totaling over $5 million".

The affected resolvers have since reached a bug bounty resolution with the hacker.

1inch assured that individual users’ assets remained untouched: "No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts."

In response to the incident, the platform urged all resolvers to review and update their contracts:

We’re actively working with affected resolvers to secure their systems. We urge all resolvers to audit and update their contracts immediately.

To prevent similar exploits, 1inch introduced bug bounty programs to identify security gaps and explore ways to recover the stolen assets.

On February 12, zkLend, a decentralized lending protocol on Starknet, lost $4.9 million in a security breach. How did hackers pull it off? Read the full story.