The decentralized exchange aggregator 1inch has fallen victim to a sophisticated smart contract exploit that drained approximately $5 million from resolver contracts on March 5, 2025. The attack targeted the deprecated Fusion v1 settlement contract, exposing a critical calldata corruption vulnerability that security researchers describe as one of the most complex DeFi attacks in recent memory. As Bitcoin trades at $90,623 and Ethereum at $2,241, the incident serves as a stark reminder that legacy code lurking in production systems remains one of the most dangerous threats in decentralized finance.
The Exploit Mechanics
The root cause of the exploit traces back to an outdated resolver smart contract still operating on the deprecated Fusion v1 infrastructure. Resolvers serve as automated algorithms within the 1inch ecosystem, evaluating which orders to fulfill and providing liquidity to swappers. The vulnerability has been classified as a calldata corruption issue in the settlement contract that led to an arbitrary call vulnerability.
Security auditors from Decurity explain that by setting an interaction length to negative 512, an attacker could induce an integer underflow of memory pointers and redirect suffix data. This manipulation allowed the hacker to forge resolveOrders calls to market maker contracts associated with the resolvers and drain their funds. The old version of 1inch Settlement contained a callback option for executing all matching orders. Due to an error in handling function arguments when parsing the order suffix, it became possible to overwrite the resolver contract address and redirect calls to any contract.
The attack resulted in losses of 2.4 million USDT and 1,276 wETH, valued at approximately $2.7 million at the time. The market maker TrustedVolumes bore the brunt of the losses. Critically, end-user funds remained unaffected — the vulnerability only impacted resolvers that continued using the deprecated contract without adequate security measures.
Affected Systems
The compromised systems were exclusively resolver contracts tied to the Fusion v1 settlement layer. The 1inch aggregator protocol itself, its core swap infrastructure, and user-facing services operated without disruption. According to blockchain analytics from SlowMist, suspicious transactions were first detected on March 5, triggering an immediate investigation.
TrustedVolumes, a market maker operating as a resolver on the old contract, suffered the most significant losses. The incident underscores a persistent problem in DeFi: third-party operators often continue using deprecated infrastructure long after newer, more secure versions become available. The gap between a protocol upgrade and actual adoption by all participants creates an extended window of vulnerability.
The Mitigation Strategy
1inch responded swiftly with a multi-pronged approach. The team encouraged all resolvers to audit and update their contracts immediately, launched direct assistance programs for impacted parties, and introduced a bug bounty program offering rewards between $100 and $500,000. Within days, 1inch received 58 submissions and paid initial bounties.
Most remarkably, 1inch successfully negotiated with the attacker. The hacker agreed to return the stolen assets in exchange for a $450,000 bounty payment. The remaining funds were transferred back to the affected market maker. Notably, during the return process, the hacker initially made an error — transferring half of the funds back to the 1inch settlement contract instead of the intended recipient.
Lessons Learned
The 1inch incident illuminates several critical security principles. First, deprecated contracts must not remain functional. Protocol teams need aggressive sunset mechanisms that force migration to updated infrastructure. Second, resolver contracts represent a blind spot in DeFi security auditing. While the core protocol receives extensive review, third-party integrations often escape thorough examination. Third, the speed of negotiation and recovery demonstrates the value of maintaining communication channels and structured bounty programs.
The calldata corruption technique used in this attack represents an evolving class of low-level vulnerabilities that exploit memory management in EVM execution. Security teams must expand their audit scope beyond high-level logic to include assembly-level analysis of memory operations and integer handling.
User Action Required
Users of the 1inch platform face no immediate risk from this incident. However, market makers and resolvers operating on any version of 1inch infrastructure should immediately verify they are running the latest contract versions. Protocol operators across DeFi should audit their systems for deprecated contracts still in active use and implement forced migration mechanisms where possible.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment decisions.
deprecation in defi is a myth. contracts live forever and this 1inch thing proves nobody actually goes back to check whats still running on mainnet
^ the fusion v1 contract was labeled deprecated but still held $5M in resolver funds. thats the real issue right there
negative 512 interaction length to trigger arbitrary calls is wild. makes you wonder how many other old contracts have similar integer underflows sitting undiscovered
integer underflows are textbook but they keep showing up in production contracts. audit tools should catch these automatically by now
the integer underflow is such a classic bug class. you would think settlement contracts handling millions would have bounds checking
deprecated fusion v1 still resolver-funded with $5M and nobody at 1inch flagged it. the word deprecated means nothing in defi
deprecated but still funded. every defi protocol needs a decommission process, not just a label change