1inch Hack

In March 2025, 1inch, a decentralized exchange aggregator, experienced a $5 million exploit that targeted its resolvers—entities responsible for fulfilling trades in its network. The attacker took advantage of a buffer overflow vulnerability in the deprecated Fusion v1 contract, specifically within the _settleOrder function of the Settlement process. By manipulating the interactionLength variable using an unusually long transaction, the attacker was able to modify the order suffix and pose as a legitimate resolver. This allowed them to exchange minimal wei for $5 million worth of tokens.

The root cause of the breach was the continued use of outdated Fusion v1 contracts by resolvers, despite the protocol deprecating this version in 2023 and introducing Fusion v2. The failure to upgrade created a weak point in the system. Following the attack, 1inch and the affected resolver engaged in negotiations with the exploiter, eventually recovering most of the stolen funds, minus a bug bounty paid to the attacker.

This incident exposed the dangers of relying on legacy contracts and underscored the importance of timely contract upgrades, proactive security audits, and continuous monitoring. It also highlighted how rare buffer overflow vulnerabilities are in smart contracts and the need to account for unconventional exploit paths in decentralized finance (DeFi) infrastructure.