1inch hacker returns 5 million after exploiting 2 year old vulnerability causing stock to surge

The 1inch hacker has returned most of the funds, the exploit contract vulnerability has been present for over two years. On March 7th, the 1inch team discovered a vulnerability in its old version Fusion v1 Parser smart contract, resulting in a loss of approximately 2.4 million USDC and 1276 WETH, totaling over 5 million US dollars. The affected parties were only those using the Fusion v1 parser contract.

According to a post-incident investigation report by the Decurity security team, the vulnerability was found in the code that was rewritten from Solidity to Yul in November 2022. Despite being audited by multiple security teams, the vulnerability remained in the system for over two years. After the incident, the attacker inquired through on-chain messages, asking, "Can I get a bounty?" Following this, negotiations took place with the victim TrustedVolumes. Once the negotiations were successful, the attacker began returning the funds on the evening of March 5th, ultimately returning all funds except the bounty in the early hours of March 6th at 4:12 (UTC time).

Decurity, as one of the Fusion V1 audit teams, conducted an internal investigation into this incident and summarized several key takeaways, including clearly defining threat models and audit scopes, allocating additional time for code changes during the audit period, and verifying deployed contracts, among others.

On March 6, 1inch officially confirmed a significant breach, revealing that an attacker had exploited a vulnerability in the platform's outdated Fusion v1 smart contract. The attack resulted in the theft of over $5 million, primarily affecting market makers on the 1inch platform. Trusted Volumes, one of the major market makers, was hit the hardest, losing approximately $4.5 million. Several smaller market makers also suffered losses, totaling around $0.5 million. The exact loss was challenging to estimate due to the fluctuating price of WETH, but SlowMist, an on-chain analysis firm, estimated the total loss at around $5 million, with $2.4 million in USDC and 1276 WETH.

The vulnerability was traced back to the resolver smart contract, which interacted with the trading bots of market makers. The hacker exploited the ability to connect to these bots and withdraw their funds instead of using them for settlement on 1inch