1inch (Fusion v1 resolver contracts): Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery
A two-year-old integer underflow in 1inch's deprecated Fusion v1 assembly code let an attacker forge resolver addresses and drain $5M from a market maker — nine audits missed it.
Summary #
1inch (Fusion v1 resolver contracts) suffered a DEX Aggregator / Limit Order Protocol on 2025-03-05, resulting in a loss of approximately $5M.
What happened #
A two-year-old integer underflow in 1inch's deprecated Fusion v1 assembly code let an attacker forge resolver addresses and drain $5M from a market maker — nine audits missed it.
Linked factors #
- RD-F-002 — related : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: Unknown; v1 deprecated mid-2023 — ~18 months before exploit]
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived 9 reviews; required assembly/Web2 heap exploitation expertise]
- RD-F-027 — related : ★ Single admin EOA — adjacent [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker wallet funded via Tornado Cash before attack; no other pre-staging]
- RD-F-166 — causal : Officially-deprecated surface still holds material value [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key] || Officially-deprecated surface still holds material value [via cross-hack: Factor 46: Sunset / Wind-Down Period as Reduced Vigilance Window]