The 1inch hack has returned most of the funds, and the parser contract vulnerability has existed for more than two years

BlockBeats News, March 9, after the 1inch team discovered a vulnerability in its legacy Fusion v1 parser smart contract on March 7, causing losses of about 2.4 million USDC and 1,276 WETH, totaling more than $5 million. The only thing that is compromised is the parser contract using Fusion v1. According to a post-mortem report by the Decurity security team, the vulnerability existed in code that was rewritten from Solidity to Yul in November 2022 and remained in the system for more than two years despite being audited by multiple security teams. After the incident, the attacker asks "Can I get a bounty" via an on-chain message, and then negotiates with the victim, TrustedVolumes. After successful negotiations, the attackers began returning the funds on the evening of March 5, and finally returned all of the funds except the bounty at 4:12 AM UTC on March 6. Decurity, as part of the Fusion V1 audit team, conducted an internal investigation into the incident and learned several lessons, including clarifying the threat model and audit scope, requiring additional time for code changes during the audit, validating deployed contracts, and more.