1inch

FORENSIC REPORT

Time of death: March 7, 2025, approximately 14:32 UTC. The 1inch protocol, a market-leading DEX aggregator handling roughly $1.2 billion in daily volume, was found in critical condition following exploitation of its resolver contract architecture. Initial distress signals emerged when transactions began routing through unauthorized intermediaries, with funds flowing to attacker-controlled addresses rather than intended beneficiaries. The specimen's defensive systems failed to prevent the hemorrhage.

Cause of death analysis reveals a calldata underflow vulnerability in the resolver contract—essentially, the contract failed to properly validate input boundaries when processing transaction data. An attacker crafted malformed calldata packets that underflowed the parsing mechanism, allowing them to hijack the resolver's routing logic entirely. The resolver, responsible for directing swap execution across liquidity sources, became a puppet controlled by hostile input. This wasn't a rug pull or governance attack; this was surgical precision. The attacker gained administrative-level control over transaction flow without ever touching the actual vault contracts. The technical elegance makes it almost beautiful in a necropolis sort of way.

Contributing factors and warning signs: The resolver contract exhibited classic symptoms of insufficient input validation—a pandemic in DeFi. No bounds checking. No overflow/underflow guards. The contract had operated for months with this weakness, suggesting either inadequate formal verification or a false sense of security derived from being a "trusted" protocol. No public security audit could be located for this specific component. The victim operated under the assumption that their aggregator logic was sufficiently abstracted from exploitable surfaces. They were wrong.

Victim impact assessment: Approximately $5.0 million in user assets were diverted during the exploitation window. The majority of losses concentrated among liquidity providers and users executing large swaps during the vulnerability window. Secondary damage included reputation erosion—trust in infrastructure providers erodes faster than the assets themselves—and likely cascading withdrawal pressure on the platform in subsequent hours.

Pathologist's note: The 1inch team discovered and disclosed the vulnerability responsibly, which is genuinely commendable. This is one of the rare cases where we're performing an autopsy on something that died well—disclosed, patched, and learned from. Still doesn't bring back the five million. The resolver contract's failure demonstrates that even sophisticated protocols with established market position remain vulnerable to basic input validation failures. In the DeFi ecosystem, complexity is the disease, and insufficient guards against it remains the terminal diagnosis. Another body in the database. Another lesson no one will fully internalize until the next resolver somewhere decides to stop checking its boundaries.