Trusted Volumes, one of the market makers on 1Inch, got hacked for $4.5М. The 1Inch DEX aggregator immediately noticed the suspicious outflows, which only affected a limited part of the protocol and did not lead to blocked trading or freezes for most traders. The market maker for 1Inch, Trusted Volumes, was affected by a hack that syphoned away $4.5M. Several smaller market makers were also affected, for a total of $0.5M. The exact loss was hard to estimate, as some of the funds were in the form of WETH, where the price fluctuates. SlowMist estimates the total loss at around $5M, of which $2.4M in USDC. A total of 2M USDC was moved in a single transaction, split into two addresses. According to our analysis, this incident resulted in a loss of 2.4 million $USDC and 1276 $WETH , totaling over $5 million. — SlowMist (@SlowMist_Team) March 7, 2025 SlowMist pinpointed the 1Inch settlement contract , which was the hub of the exploit, draining the funds of several market makers. Hacker drained market maker funds through the resolver smart contract On-chain analyst Chaofan Shou pinpointed the problem with the resolver smart contract, which interacted with the trading bots of market makers. After the hacker made a mistake, the white hat explorers tried to claw back some of the funds, which the hacker mistakenly sent back to 1Inch. The vulnerability was only present in the now-obsolete Fusion V1 implementation of the contract. Currently, 1Inch uses a revised version but has kept the legacy resolver for some of the ecosystem participants. After the event, the company drew attention to its bug bounty program , which offers a bounty of up to $500K for critical vulnerabilities. 1Inch noted all market makers are now using an updated settlement contract without the vulnerability. On-chain investigators noted that the attacker exploited the ability to connect to bots and withdraw their funds instead of using them for settlement on 1Inch. The hacker could forge calls to the market makers and directly attack their liquidity. The calls to the market makers were spoofing the original 1Inch contract and caused the trading bots to send their funds to the attacker. 1inch market maker @trustedvolumes got hacked for over $4.5M and a few smaller MMs got hacked for $0.5M yesterday. The root cause is that 1inch calls MM contract’s resolveOrders function to get funds to its settlement contract. Most bots only checked the msg.sender = settlement… https://t.co/CMo6x5S7Vg pic.twitter.com/kSnkP5jpiH — Friedrice (svm/acc) (@shoucccc) March 7, 2025 1Inch called out to all market makers with resolver contracts to update their versions, although no new fund movements were noticed. The exploit does not require any actions from regular users and has not affected personal wallets. The recent attack against a commonly used smart contract shows Web3 security is still an issue, even for leading protocols like 1Inch. The platform has a 94.41% score by Certik and was considered highly secure until recently. Despite Certik’s monitoring, not all the code of 1Inch has been verified and audited. A total of three contracts, or around 39% of the project’s code, have been verified. 1Inch itself is not a target, as the protocol only carries $4.35M in value locked. The DEX aggregator spans seven different chains, with Ethereum remaining the most active. The protocol slowed down its fee generation after a recent peak in November and December 2024. After that, the protocol went on to produce $170K in weekly fees. Despite the lowered activity, 1Inch remains a staple for small-scale Ethereum traders. The protocol retained 549K monthly active users . 1Inch token unaffected after the hack The 1Inch token remained mostly unaffected by the news of the hack, trading at around $0.23, near its three-month lows. 1Inch tracks the overall slowing market trend, with limited demand even for tokens tied to the most widely used protocols. Since the bull market of 2021, 1Inch switched to small-scale users. Most users post trades under $1,000, while the median trade size has fallen for all chains. 1Inch is no longer the playing field of whales or early adopters but retains a smaller baseline of users for low-value swaps , sometimes under $10. Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now
