1inch Suffers $5M Hack Due to Smart Contract Vulnerability

A recent exploit on the decentralized exchange aggregator 1inch has resulted in the theft of approximately $5 million in cryptocurrencies. The hacker took advantage of a vulnerability in 1inch's Fusion v1 smart contract, which affected resolvers — independent entities that fill orders — leaving many to wonder how such a significant breach could occur.

The Vulnerability: A Lesson in Smart Contract Security

According to 1inch, the hack exploited a vulnerability affecting resolvers using the outdated Fusion v1 implementation. The smart contract's security was compromised when it used an outdated version, which made it susceptible to attacks. This highlights the importance of keeping software and contracts up-to-date to prevent such vulnerabilities.

The Stolen Funds: A $5 Million Loss

Blockchain security firm SlowMist discovered through an onchain investigation that the 1inch hacker had stolen 2.4 million USDC (USDC) and 1,276 Wrapped Ether (WETH) tokens. The attack targeted only resolvers using Fusion v1 in their own contracts, leaving end-user funds safe.

A Bug Bounty Agreement: A New Approach to Security

Following the exploit, 1inch engaged in direct negotiations with the hacker to recover the stolen funds. Discussions centered on a bug bounty agreement, where the attacker would return the stolen assets in exchange for a portion of the funds as a reward for identifying vulnerabilities. According to Decurity's postmortem report, the attacker agreed to return the majority of the stolen funds, keeping only the agreed-upon bounty amount.

A New Approach to Crypto Security Incidents

The approach taken by 1inch in this incident has been increasingly used in crypto security incidents. In past cases, hackers have returned funds after negotiations, and 1inch's example suggests that such agreements can be an effective way to recover stolen assets while also incentivizing attackers to report vulnerabilities.

A Call to Action: Securing Resolvers' Systems

Despite recovering the funds, 1inch emphasized the need for resolvers to update their contracts to prevent similar exploits in the future. The company stated: "We're actively working with affected resolvers to secure their systems. We urge all resolvers to audit and update their contracts immediately."

A Cautionary Tale: Bybit's $1.5 Billion Hack Losses

Recently, North Korean hackers behind the $1.5 billion Bybit hack successfully siphoned the entire amount despite coordinated efforts by the crypto community to recover the losses. The hackers stole various amounts of liquid-staked Ether (STETH), Mantle Staked ETH (mETH), and other ERC-20 tokens from Bybit.

A Complex Recovery Process

Despite the sudden loss of funds, Bybit managed to allow its users seamless withdrawal of their funds by quickly taking loans from other crypto companies, which were repaid at a later date. However, it took 10 days for the Bybit hackers to launder $1.4 billion worth of stolen cryptocurrencies, with some of the laundered funds still traceable despite asset swaps.

A Surge in Activity on THORChain Post-Bybit Hack

THORChain, a crosschain swap protocol reportedly extensively used by the hackers to siphon funds, experienced a surge in activity post-Bybit hack. This highlights the potential risks and vulnerabilities associated with such protocols.