1Inch Resolve Order Suffix Integer Overflow Vulnerability
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
1inch, a decentralized finance platform, offers tools for optimizing trades across multiple networks, swapping tokens, and managing assets securely, while also emphasizing its commitment to security and compliance. The platform's older Fusion V1 protocol, though deprecated, became the target of a vulnerability that allowed an attacker to exploit a bug in the resolver contract, draining millions of dollars. Despite several audits, the flaw remained undetected for over two years. After a series of negotiations, most of the stolen funds were returned, minus a 10% bounty.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]
About 1Inch Exchange
"One-stop access to decentralized finance" "Optimize your trades across hundreds of DEXes on multiple networks" "A tool for swapping tokens across any network and placing on-chain limit orders securely, at the best rate." "The most powerful mobile app for managing your assets and exploring Web3." "A cutting-edge tracking tool offering accurate, detailed and well-organized crypto portfolio information."
"1inch is dedicated to advancing a secure and compliant DeFi ecosystem. By uniting with forefront security and compliance specialists, we set the standard for safety and compliance, ensuring our users navigate the DeFi space with confidence."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
A vulnerability in 1inch's deprecated Fusion V1 contracts allowed an attacker to exploit a calldata corruption issue, stealing $5 million by using a simple integer overflow trick.
| Date | Event | Description |
|---|---|---|
| March 5th, 2025 10:15:23 AM MST | First Attack Transaction Occurs | The first attack transaction on the Ethereum blockchain. |
| March 5th, 2025 10:31:00 AM MST | Decurity Team Alerted | The Decurity team "noticed a hack alert related to 1inch in the Defimon dashboard and Telegram channel". |
| March 5th, 2025 10:38:00 AM MST | Decurity Team Investigation | The Decurity team "started looking into it, some funds were still intact, the reason was unclear". |
| March 5th, 2025 10:47:00 AM MST | Decurity Team Confusion | The Decurity team notes their confusino at the time. "Someone made bad trades on 1inch or got phished?" |
| March 5th, 2025 10:53:00 AM MST | Decurity Team Conclusion | The Decurity team "decided that this is a bug in the resolver’s implementation." |
| March 5th, 2025 10:54:35 AM MST | Final Attack Transaction Occurs | The final attack transaction in the sequence. As Decurity team notes, "The hacker finished draining the funds.". |
| March 5th, 2025 10:55:00 AM MST | Decurity Team Notifies 1Inch | The Decurity team "became confident this is a 3rd party resolver hack and notified the 1inch team". |
| March 5th, 2025 11:10:00 AM MST | Decurity Team Joins War Room | The Decurity team "joined the war room, started brainstorming the reasons and looking for other affected resolver implementations". |
| March 5th, 2025 11:34:23 AM MST | Attacker Requests For Bounty | The attacker sent an on-chain message via IDM "Can I have bounty?". |
| March 5th, 2025 11:51:11 AM MST | 1Inch Team Responds About Bounty | The 1Inch team responds via the IDM messaging system, providing the attacker with a Telegram chat channel "trustedvolumes". |
| March 5th, 2025 1:01:11 PM MST | 1Inch Team Provides Alternative | The 1Inch team provides the attacker with an alternative means of contacting them via a ProtonMail email address. |
| March 5th, 2025 4:40:00 PM MST | Decurity Root Cause Analysis | The Decurity team "finished the analysis and identified the root cause and exploit mechanics". |
| March 5th, 2025 4:55:35 PM MST | Bounty Negotations Officially Completed | The 1Inch team notes in an IDM that they're reached an agreement with the attacker for a bug bounty of $450k. The official refund address is provided. Decurity notes this as the "egotiations concluded successfully". |
| March 5th, 2025 4:59:59 PM MST | Return Of USDC Funds From Exploit | The attacker returns 2,400,000 USDC to the official refund address. |
| March 5th, 2025 5:02:35 PM MST | Return Of WETH Funds From Exploit | The attacker returns 1,076 WETH to the official refund address. |
| March 5th, 2025 9:12:00 PM MST | Reported Return Of All Funds | Decurity notes that "The attacker returned all the funds except for a fractional bounty." However, it's unclear what other transactions are involved in the return of funds. |
| March 7th, 2025 10:38:48 AM MST | Decurity PostMortem Published | Decurity publishees a post-mortem revealing that the attack exploited a vulnerability in the order suffix processing of 1inch's older Fusion V1 protocol, enabling an attacker to overwrite the resolver address and call arbitrary resolvers. This led to a loss for market maker TrustedVolumes, but after negotiations, most of the funds were returned, with only a fractional bounty remaining. The post-mortem reveals that despite multiple audits, the vulnerability went unnoticed for over two years, largely due to the code's evolution and lack of attention to the resolver contract. It emphasizes lessons learned about audit scope, threat modeling, and the importance of real-time threat detection and post-deployment security. |
Technical Details
"The exploit targeted a third-party resolver contract integrated with the the Fusion V1 protocol. 1inch Fusion is an efficient gasless swap protocol built on top of 1inch Limit Order Protocol. Fusion V1 was deprecated mid-2023 but was not destructed for the purpose of backwards compatibility for the users who still needed the old version."
"The attacker used the following approach:
Create a normal order swapping a few wei for millions USD. Pad it with null-bytes. Specify an invalid interactionLength value (0xffff…fe00 = -512). Add a fake suffix structure as an interaction."
Total Amount Lost
"The final tally: TrustedVolumes got most of their $4.5M back minus the 10% 'bounty' the attacker kept ($450K), while smaller market makers collectively lost around $500K."
The total amount lost has been estimated at $5,000,000 USD.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
A bounty of $450,000 USD was paid for the discovery.
Total Amount Recovered
The total amount recovered has been estimated at $4,550,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1inch Network | Leading high capital efficient DeFi protocols (Accessed Jul 19, 2023)
- ↑ 1Inch - Rekt (Accessed Mar 14, 2025)
- ↑ Yul Calldata Corruption - 1inch Postmortem - Decurity (Accessed Mar 14, 2025)
- ↑ IDM Communication - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 1 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 2 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 3 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 4 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 5 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 6 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 7 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 8 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 9 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attack Transaction 10 - Etherscan (Accessed Mar 14, 2025)
- ↑ Attacker Returns 2,400,000 USDC To 1Inch - Etherscan (Accessed Mar 14, 2025)
- ↑ Attacker Returns 1,076 WETH To 1Inch - Etherscan (Accessed Mar 14, 2025)
- ↑ List Of Reported Audits Completed - Github (Accessed Mar 14, 2025)