Loss of funds on Fantom caused by user mistake, not the 1inch Network vulnerability
The problem experienced by a user was caused by sending an approval to a non-existing smart contract on Fantom.
In line with its policy to address all users’ concerns and complaints, the 1inch Network carefully investigated a recent claim that a malicious contract was allegedly deployed to one of the 1inch addresses on the Fantom network that was never functioning and determined that the claim was incorrect.
The problem experienced by the user was caused by the fact that they mistakenly sent an approval to a not-yet-deployed smart contract on Fantom. The 1inch Router v3 has never been deployed on Fantom, as 1inch supports Fantom starting from the router’s version 4.
Since the address to which the approval was sent was generated via the Profanity address generating tool — in which the 1inch team members actually found a vulnerability several weeks ago and warned users about it — an attacker got access to the contract deployer private key and deployed a contract that allowed them to execute transfer of approved tokens.
The user — even though it was their own mistake — can still apply for a refund to the 1inch Foundation at foundation@1inch.io as a point of care.
In turn, the 1inch Network would like to stress that none of the addresses obtained with the help of Profanity own any assets or rights within 1inch Network smart contracts. All 1inch Network smart contracts are totally safe and users should not have any security concerns about the 1inch Network.
However, they should observe basic security rules and avoid making mistakes that could cause them losses. Specifically, they should never give approvals to addresses without smart contracts.
Swap via 1inch and stay safe!