Inside the 1inch $5 Million Exploit: How a Deprecated Smart Contract Became a Hacker’s Gateway

The decentralized finance ecosystem faced another stark reminder of the dangers lurking in legacy code when 1inch, one of the most widely used DeFi aggregators, suffered a security exploit that drained over $5 million from resolver contracts. The incident, detected by security firm SlowMist in early March 2025, exposed how outdated infrastructure left active in production can become an open door for sophisticated attackers, even on platforms trusted by millions.

The Exploit Mechanics

At the heart of the attack was the deprecated Fusion v1 resolver smart contract, a component that should have been retired long before the exploit occurred. Resolvers in the 1inch ecosystem serve as automated algorithms that evaluate which orders to fulfill and provide liquidity to swappers. The vulnerability was classified as a calldata corruption issue in the settlement contract, leading to an arbitrary call vulnerability that the attacker expertly exploited.

Security analysis firm Decurity later released a detailed post-mortem revealing the surprisingly straightforward nature of the buffer overflow vulnerability. By setting an interaction length to a negative value of negative 512, the attacker induced an integer underflow of memory pointers and redirected suffix data. This clever manipulation allowed the hacker to forge resolveOrders calls to the market maker contracts associated with the resolvers and systematically drain their funds. The vulnerability resided in the settleOrder function, code that was supposed to have been decommissioned but remained active and exploitable.

Affected Systems

The exploit specifically targeted the resolver infrastructure within the 1inch ecosystem. Resolvers act as critical intermediaries, providing liquidity and ensuring efficient order execution across the aggregator’s vast network of decentralized exchange integrations. When the deprecated Fusion v1 contracts were left operational, they created an attack surface that extended to every market maker contract still connected to the legacy system. The $5 million in losses represents funds drained directly from resolver operators and liquidity providers who had not migrated to updated contract versions.

Bitcoin was trading at approximately $82,862 at the time, with Ethereum around $1,920, underscoring that this was not a small-time operation. The attacker targeted high-value liquidity pools during a period of significant market activity, maximizing the potential extraction before the vulnerability could be identified and patched.

The Mitigation Strategy

In the immediate aftermath, 1inch took decisive action to contain the damage and prevent further exploitation. The team encouraged all resolvers to audit and update their contracts without delay, launching dedicated efforts to assist impacted resolvers in securing their systems. Perhaps most notably, 1inch introduced a bug bounty program offering rewards ranging from $100 to $500,000, incentivizing the broader security community to contribute insights into the incident. The program received 58 submissions and paid out $200 in bounties during its initial phase.

The response also included direct negotiation with the attacker, a strategy that has become increasingly common in DeFi incident response. These negotiations led to the recovery of most stolen assets, minus a bug bounty fee paid to the exploiter. In an ironic twist, the hacker initially made an error during the return process, incorrectly transferring half of the stolen funds back to the 1inch settlement contract rather than the intended recovery address.

Lessons Learned

The 1inch exploit highlights several critical security principles that every DeFi protocol and user should internalize. First, deprecated code must be fully decommissioned, not merely superseded. The Fusion v1 settlement contract should have been entirely disabled once the upgraded version was deployed, eliminating any possibility of it being used as an attack vector. Second, regular security audits must cover legacy infrastructure alongside active deployments. The integer underflow vulnerability was present in code that had been nominally replaced, creating a false sense of security.

Third, the incident demonstrates the importance of proactive monitoring. SlowMist’s detection of suspicious transactions was the trigger for the response, but the vulnerability had existed in the deprecated contract for an unknown period before exploitation. Continuous automated scanning of all deployed contracts, including legacy ones, could have identified the vulnerability before an attacker did.

User Action Required

For users and liquidity providers interacting with DeFi aggregators like 1inch, the incident serves as a call to verify which contract versions your funds are interacting with. If you are operating as a resolver or providing liquidity through 1inch, ensure that your contracts have been updated to the latest version and that all deprecated function calls have been disabled. Users who were affected by the exploit should contact the 1inch team through official channels to verify whether their funds were included in the recovery process. As always, practicing分散 risk across multiple platforms and never exposing more capital than you can afford to lose remains the most effective defense against protocol-level failures.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making financial decisions.