1inch suffers $5M hack due to smart contract vulnerability

Decentralized exchange aggregator 1inch lost $5 million in cryptocurrency when a hacker exploited a smart contract vulnerability, the platform confirmed.

On March 5, 1inch identified a vulnerability affecting resolvers — entities that fill orders — using the outdated Fusion v1 implementation, which was made public a day later.

Tracing the $5 million 1inch hack

On March 7, blockchain security firm SlowMist found through an onchain investigation that the 1inch hacker made away with 2.4 million USDC (USDC) and 1276 Wrapped Ether (WETH) tokens.

According to 1inch, the hack stole funds only from resolvers using Fusion v1 in their own contracts, and end-user funds were safe:

“We’re actively working with affected resolvers to secure their systems. We urge all resolvers to audit and update their contracts immediately.”

The platform announced bug bounty programs to secure any other underlying system vulnerabilities and recover the stolen funds. 

Related: $1.5B crypto hack losses expose bug bounty flaws

1inch’s attempt to recoup the stolen funds is slim unless the hacker agrees to return them. Previously, compromised crypto protocols have managed to recover funds after attackers have agreed to retain 10% of the funds as white hat bounties, as seen in the case of crypto lender Shezmu.

Still, the North Korean hackers behind the $1.5 billion Bybit hack — dubbed crypto’s largest-ever heist — were successful in siphoning the entire amount despite coordinated efforts by the crypto community to recover the losses.

The hackers stole various amounts of liquid-staked Ether (STETH), Mantle Staked ETH (mETH) and other ERC-20 tokens from Bybit. 

Bybit on the slow road to recovery

Despite the sudden loss of funds, Bybit managed to allow its users seamless withdrawal of their funds by quickly taking loans from other crypto companies, which were repaid at a later date.

It took 10 days for the Bybit hackers to launder $1.4 billion worth of stolen cryptocurrencies. Some of the laundered funds may still be traceable despite the asset swaps, according to Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers:

“While laundering through mixers and crosschain swaps complicates recovery, cybersecurity firms leveraging onchain intelligence, AI-driven models, and collaboration with exchanges and regulators still have small opportunities to trace and potentially freeze assets.”

THORChain, a crosschain swap protocol, which was reportedly extensively used by the hackers to siphon funds, experienced a surge in activity post-Bybit hack.

Magazine: Mystery celeb memecoin scam factory, HK firm dumps Bitcoin: Asia Express