How 1inch ensures the security of users’ funds
In this article, we’ll explain how 1inch protects users’ assets against any security breaches regardless of the protocol on which swaps are made.
Security is one of the most urgent concerns in the DeFi space, as smart contracts do get hacked from time to time. Over the past few months alone, there have been several highly-publicized cases, in which significant funds were stolen due to vulnerabilities and security backdoors.
In recent months alone, several major decentralized platforms have been attacked, with millions of dollars stolen.
To rule out scenarios of that kind, the 1inch Network has always paid special attention to security issues, using the most advanced protection methods.
Let’s look at specific steps allowing us to say that trades via 1inch are fully protected.
Smart contract audits
The most obvious step to make sure a smart contract is secure is auditing. A range of independent projects provide the service of auditing smart contracts to discover possible vulnerabilities.
1inch smart contracts have been audited by 16 separate projects, which, according to The Block, is the highest number for DeFi projects. The average number of independent audits for smart contracts is three.
A list of most important 1inch smart contract audits and related details can be found here.
When it comes to aggregation smart contracts, auditors mostly focus on two aspects. First, they make sure that token approvals made by users in the 1inch Router are secure and protected from tampering.
The second aspect is ensuring that a user will receive an amount that’s no smaller than the specified minimum return. Let’s consider this in more detail.
The 1inch smart contract’s aggregation router has a parameter called minimum return. This is the minimum amount of destination tokens that a user agrees to receive. For instance, if a user wants to swap 1 ETH for 4,000 DAI, they could specify a slippage of 1%, meaning that the minimum sum they agree to receive is 4,000 DAI minus 1%, which is 3,960 DAI. This amount is sent to the smart contract, and, if as a result of a market trade, a smaller amount is returned, the transaction will be rejected.
Another major factor determining the security of smart contracts is upgradability, which enables a smart contract’s owner to make changes to its code. Thereby, theoretically, the owner could get access not only to the code, but also to users’ funds that the smart contract has access to.
To improve the security of smart contract upgrades, some projects use multisignature. Under that scheme, upgrades to the smart contract could only be executed if signed by several parties — normally, major contributors to the project.
However, the problem is that a regular user doesn’t normally know who exactly has keys allowing them to sign off on smart contract upgrades. Therefore, users have to rely on the project’s team’s overall reputation in the hope that none of the team members will do anything malicious.
Still, this contradicts the foundational idea of decentralized tech, which is supposed to be trustless.
1inch solved the upgradability issue in a radical way by making its smart contracts unupgradable by design. No one can get access to the smart contracts’ code and, consequently, to funds locked in them.
DEX aggregation: an extra security level
Currently, dozens of DEXes are in operation, and no one could fully guarantee the security of all of their smart contracts. However, DEX aggregators, such as 1inch, unite all of these exchanges in one place, enabling users to trade without having to provide access to funds in their wallets to anyone.
Thus, if a DEX has vulnerabilities, 1inch can protect users from them.
When a user makes swaps on other DEXes via 1inch, token approvals for swap deals are done in the 1inch smart contract, which, as discussed above, is unupgradable and has been heavily audited.
If the user made the same swap directly on a DEX, they would have to approve the tokens in several smart contracts, relying on their security. In case of vulnerabilities or malicious attacks, the tokens could be stolen directly from the user’s wallet.
Clearly, risks of losing funds are higher, if the user has to approve swaps for several smart contracts as opposed to just one secure smart contract.
In addition, when swapping via 1inch, users don’t have to interact with various dApps and websites, which substantially lowers risks of phishing attacks that occur from time to time.
Finally, thanks to the minimum return parameter in the aggregation router smart contract discussed above, all DEXes on which a user trades via 1inch have to return an amount of tokens that’s not smaller than the set minimum return.
Suppose a user makes a swap on an unscrupulous DEX that takes the user’s tokens and wouldn’t return the destination coins. In most cases, a transaction of that kind wouldn’t even be estimated. Still, if an attacker can route the transaction thanks to front running, the aggregation router smart contract will check if the funds have been sent to the user. And, if the minimum return parameter isn’t met, the transaction fails and the initial funds are returned to the user.
Thus, 1inch creates an extra security level on top of protection measures offered by individual DEXes. Actually, this is DEX aggregators’ major advantage over individual DEXes, alongside deeper liquidity and more favorable swap rates.
When it comes to the security of smart contracts, 1inch is one of the most advanced DeFi projects. In addition to such measures as thoroughly audited and unupgradable smart contracts, 1inch makes trading on other protocols via 1inch more secure for users.