1Inch Resolve Order Suffix Integer Overflow Vulnerability: Difference between revisions
(COMPLETE 30 Minutes. Updated template. Reviewed and integrated sources throughout article. Added Reality, Immediate Reaction, Total Amount Recovered section. Integrated Rekt News article into timeline.) |
(COMPLETE 30 minutes. Revised The Reality section with additional information from Rekt. Added information in the technical analysis section describing the flaw. Added loss information from SlowMist. Filled in extensive information on the Immediate Reactions from 1Inch Exchange. Added information about the 1Inche Exchange announcement. Added information about bug bounty program.) |
||
| Line 7: | Line 7: | ||
"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."<ref name="1inchhomepage-11362" /> | "1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."<ref name="1inchhomepage-11362" /> | ||
1Inch Exchange has maintained a bug bounty program where users can submit bug reports and be rewarded up to $500,000<ref>[https://hackenproof.com/programs/1inch-smart-contract 1inch Smart Contract - HackenProof] (Accessed Mar 18th, 2025)</ref>, which has been present since at least July 2024<ref>[https://web.archive.org/web/20240720122444/https://hackenproof.com/programs/1inch-smart-contract 1inch Smart Contract - HackenProof Archive July 20th, 2024 6:24:44 AM MDT] (Accessed Mar 18, 2025)</ref>. | |||
== The Reality == | == The Reality == | ||
Despite several audits having been completed, a vulnerability remained present in the 1inch smart contract. | Despite several audits having been completed, a vulnerability remained present in the 1inch smart contract in the deprecated _settleOrder function, which had been part of the protocol’s earlier architecture<ref name="rekt1inhc-18746" />. Despite multiple audits, the vulnerability remained undetected for over two years<ref name="rekt1inhc-18746" />. | ||
== What Happened == | == What Happened == | ||
| Line 62: | Line 64: | ||
|1Inch Team Provides Alternative | |1Inch Team Provides Alternative | ||
|The 1Inch team provides the attacker with an alternative means of contacting them via a ProtonMail email address<ref name="idmmessages-18748" />. | |The 1Inch team provides the attacker with an alternative means of contacting them via a ProtonMail email address<ref name="idmmessages-18748" />. | ||
|- | |||
|March 5th, 2025 3:00:00 PM MST | |||
|1Inch Team Discovers Vulnerability | |||
|The 1Inch Exchange team uses this as the official timestamp where they report that they have discovered the vulnerability itself<ref name=":1">[https://twitter.com/1inch/status/1897695348232978770 1Inch Exchange - "At 23:00 CET on 05.03.25, the 1inch team discovered a vulnerability in resolver smart contracts using the obsolete Fusion v1 implementation. No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts." - Twitter/X] (Accessed Mar 18, 2025)</ref>. | |||
|- | |- | ||
|March 5th, 2025 4:40:00 PM MST | |March 5th, 2025 4:40:00 PM MST | ||
| Line 82: | Line 88: | ||
|Reported Return Of All Funds | |Reported Return Of All Funds | ||
|Decurity notes that "The attacker returned all the funds except for a fractional bounty." However, it's unclear what other transactions are involved in the return of funds<ref name="decuritypostmortem-18747" />. | |Decurity notes that "The attacker returned all the funds except for a fractional bounty." However, it's unclear what other transactions are involved in the return of funds<ref name="decuritypostmortem-18747" />. | ||
|- | |||
|March 6th, 2025 10:06:00 AM MST | |||
|1Inch Exchange Announcement | |||
|1Inch Exchange posts an update to Twitter, informing the community about a vulnerability in resolver smart contracts utilizing the obsolete Fusion v1 implementation. They emphasized that '''no end-user funds were at risk''', and only the resolvers using Fusion v1 in their own contracts were affected. 1inch reassured the public that they were actively collaborating with the affected resolvers to secure their systems and urged all resolvers to '''audit and update their contracts immediately'''. Additionally, they provided information on the '''bug bounty program''' and details related to '''funds return'''. | |||
|- | |- | ||
|March 7th, 2025 10:38:48 AM MST | |March 7th, 2025 10:38:48 AM MST | ||
| Line 89: | Line 99: | ||
|March 13th, 2025 1:54:00 PM MDT | |March 13th, 2025 1:54:00 PM MDT | ||
|Rekt News Article Published | |Rekt News Article Published | ||
|Rekt News publishes an article, describing the exploit turning 1Inch into a $5 million "ATM" through a negative integer underflow<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attacker discovered that by setting an interaction length to -512, they could manipulate memory pointers, hijack resolver addresses, and steal funds<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. Despite the vulnerability being missed by nine audit teams over two years, the hacker managed to steal approximately $4.5 million, later returning most of it after negotiating a bounty with the affected parties<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attack exposed fundamental flaws in security audits, with the vulnerability being traced back to a simple buffer overflow missed during multiple rounds of code reviews<ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. | |Rekt News publishes an article, describing the exploit turning 1Inch into a $5 million "ATM" through a negative integer underflow<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attacker discovered that by setting an interaction length to -512, they could manipulate memory pointers, hijack resolver addresses, and steal funds<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. Despite the vulnerability being missed by nine audit teams over two years, the hacker managed to steal approximately $4.5 million, later returning most of it after negotiating a bounty with the affected parties<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. The attack exposed fundamental flaws in security audits, with the vulnerability being traced back to a simple buffer overflow missed during multiple rounds of code reviews<ref name="rekt1inhc-18746" /><ref name=":0">[https://twitter.com/RektHQ/status/1900274198184145146 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X] (Accessed Mar 17, 2025)</ref>. | ||
|} | |} | ||
== Technical Details == | == Technical Details == | ||
The core issue was that the vulnerability was a '''basic arithmetic error'''—an integer underflow—that should have been easily caught by any thorough security check. | |||
The issue was a '''calldata corruption''' that allowed an attacker to exploit a '''negative interaction length''' (set to -512), triggering an '''integer underflow'''. This caused memory pointers to underflow, redirecting function calls and giving the attacker control over the resolver contracts, enabling them to steal funds. | |||
The exploit was deceptively simple, relying on basic arithmetic manipulation—specifically, a negative number in the calldata—to bypass security measures. By creating seemingly normal transactions padded with null bytes and setting the interaction length to the negative value, the attacker could hijack memory pointers and redirect control, ultimately siphoning off millions in stolen funds. | |||
"The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version." | "The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version." | ||
| Line 109: | Line 128: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
"The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K." | "The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K." | ||
SlowMist, a security firm, conducted a follow-up investigation and reports that 2.4 million USDC and 1,276 WETH was missing<ref name="rekt1inhc-18746" />. | |||
The total amount lost has been estimated at $5,000,000 USD. | The total amount lost has been estimated at $5,000,000 USD. | ||
== Immediate Reactions == | == Immediate Reactions == | ||
Decurity describes observing the transactions and being unable to determine if there was a vulnerability or perhaps it was a simple phishing attack<ref name="decuritypostmortem-18747" />. | On March 6, 2025, 1Inch Exchange issued an announcement about a vulnerability in their obsolete '''Fusion v1 resolver contracts''', which were part of their earlier system<ref name="rekt1inhc-18746" /><ref name=":1" />. In this statement, they reassured the public that '''"no end-user funds were at risk"'''<ref name="rekt1inhc-18746" /><ref name=":1" /> and seemed to downplay the severity of the situation<ref name="rekt1inhc-18746" /><ref name=":1" />. It appeared to be just another routine patch for outdated code<ref name="rekt1inhc-18746" /><ref name=":1" />.<blockquote>At 23:00 CET on 05.03.25, the 1inch team discovered a vulnerability in resolver smart contracts using the obsolete Fusion v1 implementation. No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts. | ||
We’re actively working with affected resolvers to secure their systems.We urge all resolvers to audit and update their contracts immediately. For more details and bug bounty info (inc. funds return), visit[ HackenProof.]</blockquote>However, the attack had already resulted in the theft of '''$5 million''', a detail that 1inch had been notified about<ref name="decuritypostmortem-18747" /> and appeared to hint at with discussions of "funds return" for example<ref name=":1" />. Security firm Decurity describes observing the transactions and being unable to determine if there was a vulnerability or perhaps it was a simple phishing attack<ref name="decuritypostmortem-18747" />, and notifying 1Inch Exchange at the time<ref name="decuritypostmortem-18747" />. It wasn’t until '''SlowMist''', a security firm, conducted a follow-up investigation that the full scale of the theft—'''2.4 million USDC and 1,276 WETH'''—was revealed<ref name="rekt1inhc-18746" />. | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
Latest revision as of 12:35, 18 March 2025
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
1inch, a decentralized finance platform, offers tools for optimizing trades across multiple networks, swapping tokens, and managing assets securely, while also emphasizing its commitment to security and compliance. The platform's older Fusion V1 protocol, though deprecated, became the target of a vulnerability that allowed an attacker to exploit a bug in the resolver contract, draining millions of dollars. Despite several audits, the flaw remained undetected for over two years. After a series of negotiations, most of the stolen funds were returned, minus a 10% bounty.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]
About 1Inch Exchange
"One-stop access to decentralized finance" "Optimize your trades across hundreds of DEXes on multiple networks" "A tool for swapping tokens across any network and placing on-chain limit orders securely, at the best rate." "The most powerful mobile app for managing your assets and exploring Web3." "A cutting-edge tracking tool offering accurate, detailed and well-organized crypto portfolio information."[17]
"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."[17]
1Inch Exchange has maintained a bug bounty program where users can submit bug reports and be rewarded up to $500,000[18], which has been present since at least July 2024[19].
The Reality
Despite several audits having been completed, a vulnerability remained present in the 1inch smart contract in the deprecated _settleOrder function, which had been part of the protocol’s earlier architecture[1]. Despite multiple audits, the vulnerability remained undetected for over two years[1].
What Happened
A vulnerability in 1inch's deprecated Fusion V1 contracts allowed an attacker to exploit a calldata corruption issue, stealing $5 million by using a simple integer overflow trick.
| Date | Event | Description |
|---|---|---|
| March 5th, 2025 10:15:23 AM MST | First Attack Transaction Occurs | The first attack transaction on the Ethereum blockchain[2][4]. |
| March 5th, 2025 10:31:00 AM MST | Decurity Team Alerted | The Decurity team "noticed a hack alert related to 1inch in the Defimon dashboard and Telegram channel"[2]. |
| March 5th, 2025 10:38:00 AM MST | Decurity Team Investigation | The Decurity team "started looking into it, some funds were still intact, the reason was unclear"[2]. |
| March 5th, 2025 10:47:00 AM MST | Decurity Team Confusion | The Decurity team notes their confusion at the time. "Someone made bad trades on 1inch or got phished?"[2] |
| March 5th, 2025 10:53:00 AM MST | Decurity Team Conclusion | The Decurity team "decided that this is a bug in the resolver’s implementation."[2] |
| March 5th, 2025 10:54:35 AM MST | Final Attack Transaction Occurs | The final attack transaction in the sequence[13]. As Decurity team notes, "The hacker finished draining the funds."[2]. |
| March 5th, 2025 10:55:00 AM MST | Decurity Team Notifies 1Inch | The Decurity team "became confident this is a 3rd party resolver hack and notified the 1inch team"[2]. |
| March 5th, 2025 11:10:00 AM MST | Decurity Team Joins War Room | The Decurity team "joined the war room, started brainstorming the reasons and looking for other affected resolver implementations"[2]. |
| March 5th, 2025 11:34:23 AM MST | Attacker Requests For Bounty | The attacker sent an on-chain message via IDM "Can I have bounty?"[2][3]. |
| March 5th, 2025 11:51:11 AM MST | 1Inch Team Responds About Bounty | The 1Inch team responds via the IDM messaging system, providing the attacker with a Telegram chat channel "trustedvolumes"[3]. |
| March 5th, 2025 1:01:11 PM MST | 1Inch Team Provides Alternative | The 1Inch team provides the attacker with an alternative means of contacting them via a ProtonMail email address[3]. |
| March 5th, 2025 3:00:00 PM MST | 1Inch Team Discovers Vulnerability | The 1Inch Exchange team uses this as the official timestamp where they report that they have discovered the vulnerability itself[20]. |
| March 5th, 2025 4:40:00 PM MST | Decurity Root Cause Analysis | The Decurity team "finished the analysis and identified the root cause and exploit mechanics"[2]. |
| March 5th, 2025 4:55:35 PM MST | Bounty Negotations Officially Completed | The 1Inch team notes in an IDM that they're reached an agreement with the attacker for a bug bounty of $450k[3]. The official refund address is provided[3]. Decurity notes this as the "negotiations concluded successfully"[2]. |
| March 5th, 2025 4:59:59 PM MST | Return Of USDC Funds From Exploit | The attacker returns 2,400,000 USDC to the official refund address[14]. |
| March 5th, 2025 5:02:35 PM MST | Return Of WETH Funds From Exploit | The attacker returns 1,076 WETH to the official refund address[15]. |
| March 5th, 2025 9:12:00 PM MST | Reported Return Of All Funds | Decurity notes that "The attacker returned all the funds except for a fractional bounty." However, it's unclear what other transactions are involved in the return of funds[2]. |
| March 6th, 2025 10:06:00 AM MST | 1Inch Exchange Announcement | 1Inch Exchange posts an update to Twitter, informing the community about a vulnerability in resolver smart contracts utilizing the obsolete Fusion v1 implementation. They emphasized that no end-user funds were at risk, and only the resolvers using Fusion v1 in their own contracts were affected. 1inch reassured the public that they were actively collaborating with the affected resolvers to secure their systems and urged all resolvers to audit and update their contracts immediately. Additionally, they provided information on the bug bounty program and details related to funds return. |
| March 7th, 2025 10:38:48 AM MST | Decurity PostMortem Published | Decurity publishes a post-mortem revealing that the attack exploited a vulnerability in the order suffix processing of 1inch's older Fusion V1 protocol, enabling an attacker to overwrite the resolver address and call arbitrary resolvers[2]. This led to a loss for market maker TrustedVolumes, but after negotiations, most of the funds were returned, with only a fractional bounty remaining. The post-mortem reveals that despite multiple audits, the vulnerability went unnoticed for over two years, largely due to the code's evolution and lack of attention to the resolver contract. It emphasizes lessons learned about audit scope, threat modeling, and the importance of real-time threat detection and post-deployment security[2]. |
| March 13th, 2025 1:54:00 PM MDT | Rekt News Article Published | Rekt News publishes an article, describing the exploit turning 1Inch into a $5 million "ATM" through a negative integer underflow[1][21]. The attacker discovered that by setting an interaction length to -512, they could manipulate memory pointers, hijack resolver addresses, and steal funds[1][21]. Despite the vulnerability being missed by nine audit teams over two years, the hacker managed to steal approximately $4.5 million, later returning most of it after negotiating a bounty with the affected parties[1][21]. The attack exposed fundamental flaws in security audits, with the vulnerability being traced back to a simple buffer overflow missed during multiple rounds of code reviews[1][21]. |
Technical Details
The core issue was that the vulnerability was a basic arithmetic error—an integer underflow—that should have been easily caught by any thorough security check.
The issue was a calldata corruption that allowed an attacker to exploit a negative interaction length (set to -512), triggering an integer underflow. This caused memory pointers to underflow, redirecting function calls and giving the attacker control over the resolver contracts, enabling them to steal funds.
The exploit was deceptively simple, relying on basic arithmetic manipulation—specifically, a negative number in the calldata—to bypass security measures. By creating seemingly normal transactions padded with null bytes and setting the interaction length to the negative value, the attacker could hijack memory pointers and redirect control, ultimately siphoning off millions in stolen funds.
"The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version."
"The attacker used the following approach:
Create a normal order swapping a few wei for millions USD. Pad it with null-bytes. Specify an invalid interactionLength value (0xffff…fe00 = -512). Add a fake suffix structure as an interaction."
Attack transactions:[4][5][6][7][8][9][10][11][12][13]
Total Amount Lost
"The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K."
SlowMist, a security firm, conducted a follow-up investigation and reports that 2.4 million USDC and 1,276 WETH was missing[1].
The total amount lost has been estimated at $5,000,000 USD.
Immediate Reactions
On March 6, 2025, 1Inch Exchange issued an announcement about a vulnerability in their obsolete Fusion v1 resolver contracts, which were part of their earlier system[1][20]. In this statement, they reassured the public that "no end-user funds were at risk"[1][20] and seemed to downplay the severity of the situation[1][20]. It appeared to be just another routine patch for outdated code[1][20].
At 23:00 CET on 05.03.25, the 1inch team discovered a vulnerability in resolver smart contracts using the obsolete Fusion v1 implementation. No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts. We’re actively working with affected resolvers to secure their systems.We urge all resolvers to audit and update their contracts immediately. For more details and bug bounty info (inc. funds return), visit[ HackenProof.]
However, the attack had already resulted in the theft of $5 million, a detail that 1inch had been notified about[2] and appeared to hint at with discussions of "funds return" for example[20]. Security firm Decurity describes observing the transactions and being unable to determine if there was a vulnerability or perhaps it was a simple phishing attack[2], and notifying 1Inch Exchange at the time[2]. It wasn’t until SlowMist, a security firm, conducted a follow-up investigation that the full scale of the theft—2.4 million USDC and 1,276 WETH—was revealed[1].
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
A bounty of $450,000 USD was paid for the discovery.
Total Amount Recovered
The total amount returned was 2,400,000 USDC and 1.076 WETH.
The total amount recovered has been estimated at $4,550,000 USD.
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1Inch - Rekt (Accessed Mar 14, 2025)
- ↑ 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 Yul Calldata Corruption - 1inch Postmortem - Decurity (Accessed Mar 14, 2025)
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 IDM Communication With 1Inch Hacker - Etherscan (Accessed Mar 14, 2025)
- ↑ 4.0 4.1 4.2 Attack Transaction 1 - Etherscan (Accessed Mar 14, 2025)
- ↑ 5.0 5.1 Attack Transaction 2 - Etherscan (Accessed Mar 14, 2025)
- ↑ 6.0 6.1 Attack Transaction 3 - Etherscan (Accessed Mar 14, 2025)
- ↑ 7.0 7.1 Attack Transaction 4 - Etherscan (Accessed Mar 14, 2025)
- ↑ 8.0 8.1 Attack Transaction 5 - Etherscan (Accessed Mar 14, 2025)
- ↑ 9.0 9.1 Attack Transaction 6 - Etherscan (Accessed Mar 14, 2025)
- ↑ 10.0 10.1 Attack Transaction 7 - Etherscan (Accessed Mar 14, 2025)
- ↑ 11.0 11.1 Attack Transaction 8 - Etherscan (Accessed Mar 14, 2025)
- ↑ 12.0 12.1 Attack Transaction 9 - Etherscan (Accessed Mar 14, 2025)
- ↑ 13.0 13.1 13.2 Attack Transaction 10 - Etherscan (Accessed Mar 14, 2025)
- ↑ 14.0 14.1 Attacker Returns 2,400,000 USDC To 1Inch - Etherscan (Accessed Mar 14, 2025)
- ↑ 15.0 15.1 Attacker Returns 1,076 WETH To 1Inch - Etherscan (Accessed Mar 14, 2025)
- ↑ List Of Reported Audits Completed - Github (Accessed Mar 14, 2025)
- ↑ 17.0 17.1 1inch Network Homepage (Accessed Jul 19, 2023)
- ↑ 1inch Smart Contract - HackenProof (Accessed Mar 18th, 2025)
- ↑ 1inch Smart Contract - HackenProof Archive July 20th, 2024 6:24:44 AM MDT (Accessed Mar 18, 2025)
- ↑ 20.0 20.1 20.2 20.3 20.4 20.5 1Inch Exchange - "At 23:00 CET on 05.03.25, the 1inch team discovered a vulnerability in resolver smart contracts using the obsolete Fusion v1 implementation. No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts." - Twitter/X (Accessed Mar 18, 2025)
- ↑ 21.0 21.1 21.2 21.3 Rekt News - "One hacker transformed @1inch resolver contracts into a $5 million ATM through an integer underflow exploit - all with a negative 512 value. Attacker pocketed $450K as a "bounty" for exposing two years of an undetected vulnerability." - Twitter/X (Accessed Mar 17, 2025)