- A threat actor who compromised some 1inch resolvers has returned stolen funds
- The hacker, however, kept a bounty amount of $450,000
- 1inch disclosed that “no end-user funds” were stolen
DeFi platform 1inch has revealed that a hacker who exploited a vulnerability to steal $5 million has returned the funds for a bounty of $450,000. According to 1inch, the funds were siphoned from its resolver smart contracts using “obsolete Fusion v1 implementation,” adding that the hacker didn’t steal end-user funds. The DeFi platform identified the vulnerability on March 5 and made it public on March 6, a day after the attacker stole the funds showing that 1inch discovered the vulnerability when it was too late.
Funds Returned After Five Hours
Blockchain security firm SlowMist reported the hack noting that it involved USDC and Wrapped Ether (WETH). The funds were returned after roughly five hours of negotiations initiated by the hacker through an on-chain message.
According to our analysis, this incident resulted in a loss of 2.4 million $USDC and 1276 $WETH, totaling over $5 million.
— SlowMist (@SlowMist_Team) March 7, 2025
1inch urged resolvers to update their contracts and “review their […] security arrangement” to block further exploits. The platform also “redeployed the relevant contract as a precautionary measure.”
In a report, 1inch said the vulnerability allowed the hacker to trick resolvers using the outdated Fusion v1 implementation to execute “unintended transactions.” It added that the incident stressed the need for regular contract reviews, strong validation mechanisms, enhanced anomaly detection, and secure integration practices.
Hackers Taking Bounties Isn’t New
A hacker returning funds for a bounty isn’t new in the crypto space. The Curve finance hacker, for example, returned most of the $70 million he had stolen from the platform in 2023. Tender.fi’s hacker has also in the past returned stolen funds for a bounty.
Some hackers, however, prefer to keep the entire loot even after their identities are unmasked. The Mango Markets exploiter Avraham Eisenberg, for example, said he wished to keep the $47 million he stole from the platform despite being taken to court. Others like the PlayDapp hacker have also rejected a white hat bounty.
Although 1inch successfully negotiated with the hacker, the incident shows that malicious actors are scouting for even the slightest weakness on DeFi platforms.
