1inch suffers $5M hack due to smart contract vulnerability

Decentralized exchange aggregator 1inch recently reported a significant security breach, resulting in the loss of $5 million in cryptocurrency due to a smart contract exploitation. This incident highlights vulnerabilities within crypto platforms that can affect their functioning and user trust.

On March 5, 1inch detected a vulnerability specifically concerning resolvers—critical entities that manage order completions. This issue was linked to the outdated Fusion v1 implementation, which was publicly disclosed shortly after its identification. The nature of the breach allowed the hacker to siphon substantial assets from the platform.

The investigation into the hack, conducted by blockchain security firm SlowMist on March 7, revealed that the perpetrator absconded with approximately 2.4 million USDC and 1,276 Wrapped Ether (WETH) tokens. According to 1inch representatives, the funds targeted in the breach were isolated to resolvers still utilizing the deprecated Fusion v1 system, ensuring that user funds remained unaffected. In their statement, 1inch communicated their ongoing collaboration with the affected resolvers, emphasizing the urgency for them to audit and refresh their contracts to mitigate further risks.

To address the issue of underlying vulnerabilities, 1inch has initiated bug bounty programs, aiming to fortify their systems and recover the stolen assets. However, the prospects of recovering the funds seem slim unless the hacker willingly returns them. Historical precedents in the crypto space have shown that some protocols have succeeded in reclaiming stolen assets when attackers consented to a portion being recognized as a bug bounty. One notable instance involved the crypto lender Shezmu, which managed to reclaim $5 million through negotiations.

Contrastingly, recovery efforts in more extensive hacks do not yield similar optimism. The notorious $1.5 billion hack of Bybit, attributed to North Korean hackers, serves as a stark reminder of the challenges in asset recovery. The attackers managed to pull off what is known as crypto’s largest heist, with reports indicating that they successfully laundered the entirety of their stolen funds, despite collective recovery attempts by the crypto community. Among the stolen assets were various amounts of liquid-staked Ether and other ERC-20 tokens, further complicating recovery efforts.

In response to their significant losses, Bybit was able to reassure users by swiftly facilitating withdrawals through loans sourced from other crypto entities, a strategy that demonstrated some resilience amidst chaos. However, the laundering process following the breach took approximately ten days, during which $1.4 billion worth of cryptocurrencies was moved through various channels, notably using mixers and cross-chain swaps. Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers, noted that while such practices complicate tracking, some avenues for recovery remain due to ongoing collaboration among cybersecurity firms, regulators, and exchanges.

While the hacking and subsequent loss underscore the inherent risks in the crypto ecosystem, they also illuminate the need for enhanced security measures and protocols to safeguard users’ assets. The events surrounding 1inch and Bybit serve as a clarion call for vigilance in the fast-evolving digital currency landscape.