1inch Loses $5 Million in Fusion v1 Smart Contract Resolver Exploit

The decentralized exchange aggregator 1inch suffered a significant security breach on March 5, 2025, resulting in approximately $5 million in losses. The attacker exploited a vulnerability in the outdated Fusion v1 resolver smart contract, specifically targeting entities responsible for filling orders within the network. While the exploit caused substantial damage to market makers operating as resolvers, end-user funds remained secure throughout the incident, highlighting the compartmentalized architecture that prevented broader contagion.

The Exploit Mechanics

The attack vector was rooted in a deprecated version of the Fusion resolver smart contract. Resolvers on the 1inch network serve as intermediaries that fill user orders by sourcing liquidity from various decentralized exchanges. The Fusion v1 contract contained a logic flaw that allowed the attacker to manipulate order settlement parameters, enabling them to drain approximately $5 million from resolver wallets. The most severe single loss reached $4.5 million from one resolver operator.

Notably, the vulnerability existed exclusively in the older Fusion v1 contract. The upgraded Fusion v2 system, which had already been deployed and was actively in use, was not affected. This distinction proved critical in limiting the blast radius of the attack. The attacker methodically targeted only those resolvers still operating on the legacy contract, exploiting the gap between protocol upgrades and operator migration.

The exploit technique involved crafting malicious order payloads that the v1 contract failed to validate properly. By manipulating gas parameters and settlement instructions, the attacker could redirect resolver funds without triggering standard safety checks that were present in the newer contract version.

Affected Systems

The primary systems affected were the Fusion v1 resolver contracts on the Ethereum mainnet. Multiple resolver operators experienced losses, with one entity losing $4.5 million in a single transaction. The affected resolvers were market makers who had not yet migrated to the Fusion v2 infrastructure, which included patched security logic and enhanced validation mechanisms.

At the time of the exploit, Bitcoin was trading at approximately $86,742, and Ethereum was priced around $2,139, according to CoinMarketCap data for March 7, 2025. The broader market context saw a slight downturn, with BTC down 3.58% over 24 hours, potentially masking some of the price impact from the 1inch exploit itself.

Other DeFi protocols and decentralized exchanges were not directly impacted, as the vulnerability was specific to the 1inch Fusion v1 architecture. However, the incident prompted several other DEX aggregators to conduct internal security audits of their resolver systems as a precautionary measure.

The Mitigation Strategy

1inch responded swiftly to the incident. The immediate mitigation involved coordinating with remaining Fusion v1 resolvers to halt operations and migrate to the Fusion v2 contract. The team also worked with blockchain security firms to trace the exploited funds and identify the attacker’s wallet addresses. On-chain analysis indicated the attacker began moving funds through privacy-focused protocols shortly after the exploit.

The protocol team emphasized that the Fusion v2 contract, which features robust validation checks and improved settlement logic, had been available for migration well before the attack. The incident underscores the persistent risk of delayed upgrades in DeFi infrastructure, where legacy contracts continue operating alongside newer, more secure versions.

Additional mitigation steps included enhanced monitoring of resolver activity patterns, implementation of rate-limiting mechanisms for order submissions, and mandatory security patches for any resolver operating on the network regardless of contract version.

Lessons Learned

The 1inch exploit delivers several critical lessons for the DeFi ecosystem. First, timely migration from deprecated smart contracts is not optional — it is a fundamental security requirement. Resolver operators who delayed their upgrade to Fusion v2 bore the full cost of this attack. Second, the compartmentalized architecture of the 1inch system, which separated user funds from resolver operations, proved its worth by protecting end users from direct losses.

Third, the incident highlights the growing sophistication of DeFi attackers who actively scan for protocols running outdated contract versions. The attacker clearly understood the difference between v1 and v2 and selectively targeted the weaker system. This pattern of exploitation mirrors traditional cybersecurity dynamics where unpatched systems become low-hanging fruit for determined adversaries.

User Action Required

For users of 1inch and other DEX aggregators, this incident serves as a reminder to verify which contract versions your transactions interact with. If you are a resolver operator or liquidity provider, ensure that you are running the latest contract versions and have implemented all available security patches. For regular traders, the good news is that your funds were not directly at risk in this particular exploit. However, always practice basic security hygiene: use hardware wallets for large holdings, verify contract addresses before interacting, and monitor your wallet activity regularly. The 1inch team has confirmed that the Fusion v2 system remains fully operational and secure for all user transactions.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.