The 1inch hacker has returned most of the funds, the exploit contract vulnerability has been present for over two years

BlockBeats News, March 9th, On March 7th, the 1inch team discovered a vulnerability in its old version Fusion v1 Parser smart contract, resulting in a loss of approximately 2.4 million USDC and 1276 WETH, totaling over 5 million US dollars. The affected parties were only those using the Fusion v1 parser contract.

According to a post-incident investigation report by the Decurity security team, the vulnerability was found in the code that was rewritten from Solidity to Yul in November 2022. Despite being audited by multiple security teams, the vulnerability remained in the system for over two years. After the incident, the attacker inquired through on-chain messages, asking, "Can I get a bounty?" Following this, negotiations took place with the victim TrustedVolumes. Once the negotiations were successful, the attacker began returning the funds on the evening of March 5th, ultimately returning all funds except the bounty in the early hours of March 6th at 4:12 (UTC time).

Decurity, as one of the Fusion V1 audit teams, conducted an internal investigation into this incident and summarized several key takeaways, including clearly defining threat models and audit scopes, allocating additional time for code changes during the audit period, and verifying deployed contracts, among others.