1inch $5M Hack: The Risks of Forgotten Code

How Forgotten Functions Opened the Door

In March 2025, decentralized exchange aggregator 1inch suffered a $5 million theft, the result of a vulnerability in its old Fusion v1 resolver contracts. The exploit targeted the Settlement function in outdated contracts, where a buffer overflow in the _settleOrder routine allowed the attacker to overwrite the designated resolver address. By crafting a transaction with a carefully constructed suffix, the hacker could impersonate the resolver and manipulate settlement logic—effectively swapping a trivial input for millions in assets. The root cause: legacy code had been rewritten years prior (in Yul) but harbored vulnerabilities undiscovered by multiple audits, as critical logic was left behind in now-unsupported but still-integrated modules.

The damage was contained to resolvers running Fusion v1. End-user funds were not at risk, but the affected resolvers lost USDC and WETH. After reaching out via on-chain message, the hacker negotiated with 1inch for a bug bounty and returned the majority of funds, keeping only a portion as a "finder's fee." Still, the incident was a clear warning: DeFi protocols must relentlessly deprecate all unused, obsolete code and ensure it can’t be called in a live production path.

Rewriting the Playbook for Contract Safety

1inch’s response began with disabling all Fusion v1 integrations across its ecosystem, pushing out urgent audits for every resolver, and incentivizing both internal and external teams via bug bounty programs for all order-matching and settlement code. All legacy code paths were permanently removed, and audit cycles for new upgrades now require “negative testing”—explicit verification that deprecated functions cannot be reached.

More broadly, the exploit reinforced that migrations and refactors always demand both technical and operational attention: multiple audits, active threat modeling, and post-deployment code freezes for observation. As the codebase evolves, so too must the surrounding security culture, ensuring that forgotten functions don't become the next vector for high-value exploits.