1Inch Resolve Order Suffix Integer Overflow Vulnerability - Revision history

Azoundria: COMPLETE 30 minutes. Revised The Reality section with additional information from Rekt. Added information in the technical analysis section describing the flaw. Added loss information from SlowMist. Filled in extensive information on the Immediate Reactions from 1Inch Exchange. Added information about the 1Inche Exchange announcement. Added information about bug bounty program.

2025-03-18T18:35:20Z

COMPLETE 30 minutes. Revised The Reality section with additional information from Rekt. Added information in the technical analysis section describing the flaw. Added loss information from SlowMist. Filled in extensive information on the Immediate Reactions from 1Inch Exchange. Added information about the 1Inche Exchange announcement. Added information about bug bounty program.

← Older revision		Revision as of 12:35, 18 March 2025
Line 7:		Line 7:

	"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."<ref name="1inchhomepage-11362" />		"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."<ref name="1inchhomepage-11362" />

			1Inch Exchange has maintained a bug bounty program where users can submit bug reports and be rewarded up to $500,000<ref>[https://hackenproof.com/programs/1inch-smart-contract 1inch Smart Contract - HackenProof] (Accessed Mar 18th, 2025)</ref>, which has been present since at least July 2024<ref>[https://web.archive.org/web/20240720122444/https://hackenproof.com/programs/1inch-smart-contract 1inch Smart Contract - HackenProof Archive July 20th, 2024 6:24:44 AM MDT] (Accessed Mar 18, 2025)</ref>.

	== The Reality ==		== The Reality ==
	Despite several audits having been completed, a vulnerability remained present in the 1inch smart contract.		Despite several audits having been completed, a vulnerability remained present in the 1inch smart contract in the deprecated _settleOrder function, which had been part of the protocol’s earlier architecture<ref name="rekt1inhc-18746" />. Despite multiple audits, the vulnerability remained undetected for over two years<ref name="rekt1inhc-18746" />.

	== What Happened ==		== What Happened ==
Line 62:		Line 64:
	\|1Inch Team Provides Alternative		\|1Inch Team Provides Alternative
	\|The 1Inch team provides the attacker with an alternative means of contacting them via a ProtonMail email address<ref name="idmmessages-18748" />.		\|The 1Inch team provides the attacker with an alternative means of contacting them via a ProtonMail email address<ref name="idmmessages-18748" />.
			\|-
			\|March 5th, 2025 3:00:00 PM MST
			\|1Inch Team Discovers Vulnerability
			\|The 1Inch Exchange team uses this as the official timestamp where they report that they have discovered the vulnerability itself<ref name=":1">[https://twitter.com/1inch/status/1897695348232978770 1Inch Exchange - "At 23:00 CET on 05.03.25, the 1inch team discovered a vulnerability in resolver smart contracts using the obsolete Fusion v1 implementation. No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts." - Twitter/X] (Accessed Mar 18, 2025)</ref>.
	\|-		\|-
	\|March 5th, 2025 4:40:00 PM MST		\|March 5th, 2025 4:40:00 PM MST
Line 82:		Line 88:
	\|Reported Return Of All Funds		\|Reported Return Of All Funds
	\|Decurity notes that "The attacker returned all the funds except for a fractional bounty." However, it's unclear what other transactions are involved in the return of funds<ref name="decuritypostmortem-18747" />.		\|Decurity notes that "The attacker returned all the funds except for a fractional bounty." However, it's unclear what other transactions are involved in the return of funds<ref name="decuritypostmortem-18747" />.
			\|-
			\|March 6th, 2025 10:06:00 AM MST
			\|1Inch Exchange Announcement
			\|1Inch Exchange posts an update to Twitter, informing the community about a vulnerability in resolver smart contracts utilizing the obsolete Fusion v1 implementation. They emphasized that '''no end-user funds were at risk''', and only the resolvers using Fusion v1 in their own contracts were affected. 1inch reassured the public that they were actively collaborating with the affected resolvers to secure their systems and urged all resolvers to '''audit and update their contracts immediately'''. Additionally, they provided information on the '''bug bounty program''' and details related to '''funds return'''.
	\|-		\|-
	\|March 7th, 2025 10:38:48 AM MST		\|March 7th, 2025 10:38:48 AM MST
Line 89:		Line 99:
	\|March 13th, 2025 1:54:00 PM MDT		\|March 13th, 2025 1:54:00 PM MDT
	\|Rekt News Article Published		\|Rekt News Article Published
	\|Rekt News publishes an article, describing the exploit turning 1Inch into a $5 million "ATM" through a negative integer underflow<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attacker discovered that by setting an interaction length to -512, they could manipulate memory pointers, hijack resolver addresses, and steal funds<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. Despite the vulnerability being missed by nine audit teams over two years, the hacker managed to steal approximately $4.5 million, later returning most of it after negotiating a bounty with the affected parties<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attack exposed fundamental flaws in security audits, with the vulnerability being traced back to a simple buffer overflow missed during multiple rounds of code reviews<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>.		\|Rekt News publishes an article, describing the exploit turning 1Inch into a $5 million "ATM" through a negative integer underflow<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attacker discovered that by setting an interaction length to -512, they could manipulate memory pointers, hijack resolver addresses, and steal funds<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. Despite the vulnerability being missed by nine audit teams over two years, the hacker managed to steal approximately $4.5 million, later returning most of it after negotiating a bounty with the affected parties<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attack exposed fundamental flaws in security audits, with the vulnerability being traced back to a simple buffer overflow missed during multiple rounds of code reviews<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>.
	\|}		\|}

	== Technical Details ==		== Technical Details ==
			The core issue was that the vulnerability was a '''basic arithmetic error'''—an integer underflow—that should have been easily caught by any thorough security check.

			The issue was a '''calldata corruption''' that allowed an attacker to exploit a '''negative interaction length''' (set to -512), triggering an '''integer underflow'''. This caused memory pointers to underflow, redirecting function calls and giving the attacker control over the resolver contracts, enabling them to steal funds.

			The exploit was deceptively simple, relying on basic arithmetic manipulation—specifically, a negative number in the calldata—to bypass security measures. By creating seemingly normal transactions padded with null bytes and setting the interaction length to the negative value, the attacker could hijack memory pointers and redirect control, ultimately siphoning off millions in stolen funds.



	"The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version."		"The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version."



Line 109:		Line 128:
	== Total Amount Lost ==		== Total Amount Lost ==
	"The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K."		"The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K."

			SlowMist, a security firm, conducted a follow-up investigation and reports that 2.4 million USDC and 1,276 WETH was missing<ref name="rekt1inhc-18746" />.

	The total amount lost has been estimated at $5,000,000 USD.		The total amount lost has been estimated at $5,000,000 USD.

	== Immediate Reactions ==		== Immediate Reactions ==
	Decurity describes observing the transactions and being unable to determine if there was a vulnerability or perhaps it was a simple phishing attack<ref name="decuritypostmortem-18747" />.		On March 6, 2025, 1Inch Exchange issued an announcement about a vulnerability in their obsolete '''Fusion v1 resolver contracts''', which were part of their earlier system<ref name="rekt1inhc-18746" /><ref name=":1" />. In this statement, they reassured the public that '''"no end-user funds were at risk"'''<ref name="rekt1inhc-18746" /><ref name=":1" /> and seemed to downplay the severity of the situation<ref name="rekt1inhc-18746" /><ref name=":1" />. It appeared to be just another routine patch for outdated code<ref name="rekt1inhc-18746" /><ref name=":1" />.<blockquote>At 23:00 CET on 05.03.25, the 1inch team discovered a vulnerability in resolver smart contracts using the obsolete Fusion v1 implementation. No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts.

			We’re actively working with affected resolvers to secure their systems.We urge all resolvers to audit and update their contracts immediately. For more details and bug bounty info (inc. funds return), visit[ HackenProof.]</blockquote>However, the attack had already resulted in the theft of '''$5 million''', a detail that 1inch had been notified about<ref name="decuritypostmortem-18747" /> and appeared to hint at with discussions of "funds return" for example<ref name=":1" />. Security firm Decurity describes observing the transactions and being unable to determine if there was a vulnerability or perhaps it was a simple phishing attack<ref name="decuritypostmortem-18747" />, and notifying 1Inch Exchange at the time<ref name="decuritypostmortem-18747" />. It wasn’t until '''SlowMist''', a security firm, conducted a follow-up investigation that the full scale of the theft—'''2.4 million USDC and 1,276 WETH'''—was revealed<ref name="rekt1inhc-18746" />.

	== Ultimate Outcome ==		== Ultimate Outcome ==

Azoundria: COMPLETE 30 Minutes. Updated template. Reviewed and integrated sources throughout article. Added Reality, Immediate Reaction, Total Amount Recovered section. Integrated Rekt News article into timeline.

2025-03-17T23:49:53Z

COMPLETE 30 Minutes. Updated template. Reviewed and integrated sources throughout article. Added Reality, Immediate Reaction, Total Amount Recovered section. Integrated Rekt News article into timeline.

Show changes

Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/1inchresolveordersuffixintegeroverflowvulnerability.php}} {{Unattributed Sources}} 1Inch Logo/Homepage1inch, a decentralized finance platform, offers tools for optimizing trades across multiple networks, swapping tokens, and managing assets securely, while also emphasizing its commitment to security and compliance. The platform's older Fusion V1 protocol..."

2025-03-14T19:12:58Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/1inchresolveordersuffixintegeroverflowvulnerability.php}} {{Unattributed Sources}} thumb|1Inch Logo/Homepage1inch, a decentralized finance platform, offers tools for optimizing trades across multiple networks, swapping tokens, and managing assets securely, while also emphasizing its commitment to security and compliance. The platform's older Fusion V1 protocol..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/1inchresolveordersuffixintegeroverflowvulnerability.php}}
{{Unattributed Sources}}

[[File:1inchexchange.jpg|thumb|1Inch Logo/Homepage]]1inch, a decentralized finance platform, offers tools for optimizing trades across multiple networks, swapping tokens, and managing assets securely, while also emphasizing its commitment to security and compliance. The platform's older Fusion V1 protocol, though deprecated, became the target of a vulnerability that allowed an attacker to exploit a bug in the resolver contract, draining millions of dollars. Despite several audits, the flaw remained undetected for over two years. After a series of negotiations, most of the stolen funds were returned, minus a 10% bounty.<ref name="1inchhomepage-11362" /><ref name="rekt1inhc-18746" /><ref name="decuritypostmortem-18747" /><ref name="idmmessages-18748" /><ref name="attacktransaction1-18749" /><ref name="attacktransaction2-18750" /><ref name="attacktransaction3-18751" /><ref name="attacktransaction4-18752" /><ref name="attacktransaction5-18753" /><ref name="attacktransaction6-18754" /><ref name="attacktransaction7-18755" /><ref name="attacktransaction8-18756" /><ref name="attacktransaction9-18757" /><ref name="attacktransaction10-18758" /><ref name="refundtransaction1-18759" /><ref name="refundtransaction2-18760" /><ref name="auditfirmlist-18761" />

== About 1Inch Exchange ==
"One-stop access to decentralized finance" "Optimize your trades across hundreds of DEXes on multiple networks" "A tool for swapping tokens across any network and placing on-chain limit orders securely, at the best rate." "The most powerful mobile app for managing your assets and exploring Web3." "A cutting-edge tracking tool offering accurate, detailed and well-organized crypto portfolio information."

"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
A vulnerability in 1inch's deprecated Fusion V1 contracts allowed an attacker to exploit a calldata corruption issue, stealing $5 million by using a simple integer overflow trick.
{| class="wikitable"
|+Key Event Timeline - 1Inch Resolve Order Suffix Integer Overflow Vulnerability
!Date
!Event
!Description
|-
|March 5th, 2025 10:15:23 AM MST
|First Attack Transaction Occurs
|The first attack transaction on the Ethereum blockchain.
|-
|March 5th, 2025 10:31:00 AM MST
|Decurity Team Alerted
|The Decurity team "noticed a hack alert related to 1inch in the Defimon dashboard and Telegram channel".
|-
|March 5th, 2025 10:38:00 AM MST
|Decurity Team Investigation
|The Decurity team "started looking into it, some funds were still intact, the reason was unclear".
|-
|March 5th, 2025 10:47:00 AM MST
|Decurity Team Confusion
|The Decurity team notes their confusino at the time. "Someone made bad trades on 1inch or got phished?"
|-
|March 5th, 2025 10:53:00 AM MST
|Decurity Team Conclusion
|The Decurity team "decided that this is a bug in the resolver’s implementation."
|-
|March 5th, 2025 10:54:35 AM MST
|Final Attack Transaction Occurs
|The final attack transaction in the sequence. As Decurity team notes, "The hacker finished draining the funds.".
|-
|March 5th, 2025 10:55:00 AM MST
|Decurity Team Notifies 1Inch
|The Decurity team "became confident this is a 3rd party resolver hack and notified the 1inch team".
|-
|March 5th, 2025 11:10:00 AM MST
|Decurity Team Joins War Room
|The Decurity team "joined the war room, started brainstorming the reasons and looking for other affected resolver implementations".
|-
|March 5th, 2025 11:34:23 AM MST
|Attacker Requests For Bounty
|The attacker sent an on-chain message via IDM "Can I have bounty?".
|-
|March 5th, 2025 11:51:11 AM MST
|1Inch Team Responds About Bounty
|The 1Inch team responds via the IDM messaging system, providing the attacker with a Telegram chat channel "trustedvolumes".
|-
|March 5th, 2025 1:01:11 PM MST
|1Inch Team Provides Alternative
|The 1Inch team provides the attacker with an alternative means of contacting them via a ProtonMail email address.
|-
|March 5th, 2025 4:40:00 PM MST
|Decurity Root Cause Analysis
|The Decurity team "finished the analysis and identified the root cause and exploit mechanics".
|-
|March 5th, 2025 4:55:35 PM MST
|Bounty Negotations Officially Completed
|The 1Inch team notes in an IDM that they're reached an agreement with the attacker for a bug bounty of $450k. The official refund address is provided. Decurity notes this as the "egotiations concluded successfully".
|-
|March 5th, 2025 4:59:59 PM MST
|Return Of USDC Funds From Exploit
|The attacker returns 2,400,000 USDC to the official refund address.
|-
|March 5th, 2025 5:02:35 PM MST
|Return Of WETH Funds From Exploit
|The attacker returns 1,076 WETH to the official refund address.
|-
|March 5th, 2025 9:12:00 PM MST
|Reported Return Of All Funds
|Decurity notes that "The attacker returned all the funds except for a fractional bounty." However, it's unclear what other transactions are involved in the return of funds.
|-
|March 7th, 2025 10:38:48 AM MST
|Decurity PostMortem Published
|Decurity publishees a post-mortem revealing that the attack exploited a vulnerability in the order suffix processing of 1inch's older Fusion V1 protocol, enabling an attacker to overwrite the resolver address and call arbitrary resolvers. This led to a loss for market maker TrustedVolumes, but after negotiations, most of the funds were returned, with only a fractional bounty remaining. The post-mortem reveals that despite multiple audits, the vulnerability went unnoticed for over two years, largely due to the code's evolution and lack of attention to the resolver contract. It emphasizes lessons learned about audit scope, threat modeling, and the importance of real-time threat detection and post-deployment security.
|}

== Technical Details ==
"The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version."

"The attacker used the following approach:

Create a normal order swapping a few wei for millions USD.
Pad it with null-bytes.
Specify an invalid interactionLength value (0xffff…fe00 = -512).
Add a fake suffix structure as an interaction."

== Total Amount Lost ==
"The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K."

The total amount lost has been estimated at $5,000,000 USD.

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

A bounty of $450,000 USD was paid for the discovery.

== Total Amount Recovered ==
The total amount recovered has been estimated at $4,550,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="1inchhomepage-11362">[https://1inch.io/ 1inch Network | Leading high capital efficient DeFi protocols] (Accessed Jul 19, 2023)</ref>

<ref name="rekt1inhc-18746">[https://rekt.news/1inch-rekt/ 1Inch - Rekt] (Accessed Mar 14, 2025)</ref>

<ref name="decuritypostmortem-18747">[https://blog.decurity.io/yul-calldata-corruption-1inch-postmortem-a7ea7a53bfd9 Yul Calldata Corruption - 1inch Postmortem - Decurity] (Accessed Mar 14, 2025)</ref>

<ref name="idmmessages-18748">[https://etherscan.io/idm?addresses=0xbbb587e59251d219a7a05ce989ec1969c01522c0%2C0x1ef9bfb1e7480c01d3d00e9bca5f29625c6c4806&type=1 IDM Communication - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction1-18749">[https://etherscan.io/tx/0x62734ce80311e64630a009dd101a967ea0a9c012fabbfce8eac90f0f4ca090d6 Attack Transaction 1 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction2-18750">[https://etherscan.io/tx/0xb0688eb1f46c28f36d7397366146fced23d3f8da7e08b760a5f612ce134ee9d2 Attack Transaction 2 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction3-18751">[https://etherscan.io/tx/0x9ce5187c7160f531189e4765f21af5975dc2a62d961fb61ae09866d082918256 Attack Transaction 3 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction4-18752">[https://etherscan.io/tx/0x3947e5a4d98104e313e08ee321673e1183db3d6ff8b7207f3eabb36f71436c1d Attack Transaction 4 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction5-18753">[https://etherscan.io/tx/0x74bc4d5dc7f8da468788da6087bb9f73465966ab5b8cf9cf1053d98e78a9bf96 Attack Transaction 5 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction6-18754">[https://etherscan.io/tx/0xefcb740bf9ec17ed99839ffcc05393fae5ec2d44149aee91ba119f48bc20a1ef Attack Transaction 6 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction7-18755">[https://etherscan.io/tx/0xc69b4c8029c70ae468e92af31120ac6b01bb89c6e35d34818413e9942aedebb6 Attack Transaction 7 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction8-18756">[https://etherscan.io/tx/0xb16bbf03d324b66685c94d62dbe31c739ee23c114b3915d169c74cd7c98eec8c Attack Transaction 8 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction9-18757">[https://etherscan.io/tx/0xb5c94efa0c8fd8f5c8cc2826e374a99620b01061d395b59b8f45dddc9fce1c60 Attack Transaction 9 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="attacktransaction10-18758">[https://etherscan.io/tx/0x04975648e0db631b0620759ca934861830472678dae82b4bed493f1e1e3ed03a Attack Transaction 10 - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="refundtransaction1-18759">[https://etherscan.io/tx/0x99ff2067bfa6f5e30afcefc45477cb5bb661d85890ece002a4a0ce348a3c6e7a Attacker Returns 2,400,000 USDC To 1Inch - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="refundtransaction2-18760">[https://etherscan.io/tx/0xbe270b797de02c382df8c569813837fc0a6bb97809fd8a512b50c87c750bc367 Attacker Returns 1,076 WETH To 1Inch - Etherscan] (Accessed Mar 14, 2025)</ref>

<ref name="auditfirmlist-18761">[https://github.com/1inch/1inch-audits/tree/master/Fusion%20mode%20and%20Token-plugins List Of Reported Audits Completed - Github] (Accessed Mar 14, 2025)</ref></references>