Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$5 000 000 USD

MARCH 2025

GLOBAL

1INCH EXCHANGE

DESCRIPTION OF EVENTS

"One-stop access to decentralized finance" "Optimize your trades across hundreds of DEXes on multiple networks" "A tool for swapping tokens across any network and placing on-chain limit orders securely, at the best rate." "The most powerful mobile app for managing your assets and exploring Web3." "A cutting-edge tracking tool offering accurate, detailed and well-organized crypto portfolio information."

 

"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."

 

"The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version."

 

"The attacker used the following approach:

 

Create a normal order swapping a few wei for millions USD. Pad it with null-bytes. Specify an invalid interactionLength value (0xffff…fe00 = -512). Add a fake suffix structure as an interaction."

 

"The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K."

 

Explore This Case Further On Our Wiki

1inch, a decentralized finance platform, offers tools for optimizing trades across multiple networks, swapping tokens, and managing assets securely, while also emphasizing its commitment to security and compliance. The platform's older Fusion V1 protocol, though deprecated, became the target of a vulnerability that allowed an attacker to exploit a bug in the resolver contract, draining millions of dollars. Despite several audits, the flaw remained undetected for over two years. After a series of negotiations, most of the stolen funds were returned, minus a 10% bounty.

1inch Network | Leading high capital efficient DeFi protocols (Jul 19)
1Inch - Rekt (Mar 14)
Yul Calldata Corruption - 1inch Postmortem - Decurity (Mar 14)
IDM Communication - Etherscan (Mar 14)
Attack Transaction 1 - Etherscan (Mar 14)
Attack Transaction 2 - Etherscan (Mar 14)
Attack Transaction 3 - Etherscan (Mar 14)
Attack Transaction 4 - Etherscan (Mar 14)
Attack Transaction 5 - Etherscan (Mar 14)
Attack Transaction 6 - Etherscan (Mar 14)
Attack Transaction 7 - Etherscan (Mar 14)
Attack Transaction 8 - Etherscan (Mar 14)
Attack Transaction 9 - Etherscan (Mar 14)
Attack Transaction 10 - Etherscan (Mar 14)
Attacker Returns 2,400,000 USDC To 1Inch - Etherscan (Mar 14)
Attacker Returns 1,076 WETH To 1Inch - Etherscan (Mar 14)
List Of Reported Audits Completed - Github (Mar 14)

Sources And Further Reading

More case studies

Infini Money Anonymous
Developer Backdoor Vault Theft

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.