1inch Resolver Calldata Bug
A legacy Fusion v1 resolver bug let an attacker craft calldata to drain $5M from 1inch resolver TrustedVolumes. Core protocol and user funds were unaffected.
- Date
- Victim
- 1inch (resolver)
- Chain(s)
- Status
- Recovered
On March 5, 2025, a 1inch resolver running a legacy Fusion v1 settlement contract was exploited for approximately $5 million. A calldata-construction flaw in the old resolver contract let the attacker extract the resolver's funds. 1inch's core protocol and user funds were unaffected — the loss fell on the professional resolver (TrustedVolumes), which was subsequently made whole via a white-hat negotiation that returned most funds.
What happened
1inch Fusion uses third-party "resolvers" that fill orders. A deprecated Fusion v1 resolver contract had a flaw allowing crafted calldata to drain its balance. The attacker exploited the legacy contract; the resolver operator absorbed the loss. After negotiation, the attacker returned the bulk of the funds for a bounty.
Aftermath
- 1inch emphasized core/user funds were never at risk; the deprecated resolver was retired.
- Most funds returned via white-hat settlement.
Why it matters
The 1inch resolver incident reinforces two catalogue themes: (1) legacy/deprecated contracts remain live attack surface (Yearn iEarn, Aevo) — the Fusion v1 resolver was the entry point long after v2 shipped; and (2) the bounty-return resolution is now the dominant outcome for sub-$10M exploits with identifiable, unlaundered funds. It's also a clean example of blast-radius containment by architecture: because resolvers are isolated from core protocol custody, a resolver's compromise cost the resolver, not 1inch's users — the same isolation principle that limited Solv and Deribit.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-1inch-resolver-hack-march-2025
- [02]1inch.comhttps://1inch.com/blog/post/vulnerability-discovered-in-resolver-contract/
- [03]rekt.newshttps://rekt.news/1inch-rekt