Vulnerability discovered in resolver contract

A vulnerability detected in a resolver smart contract prompted 1inch to swiftly redeploy it as a precaution to reinforce security.

At approximately 6 pm UTC on March 5, 2025, a vulnerability was discovered in resolver contracts utilizing an outdated and obsolete implementation of Fusion (v1). As open source software, v1 had an outdated logic, non-existent in v2, that was exploited. Currently, all resolvers are using Fusion v2  instead of Fusion v1 to execute swaps with end users, therefore v1 is not live, not able to be used in swaps with end users and not not supported by 1inch.

Importantly, no end users were affected, and their funds remained safe throughout the event. To further reinforce security, 1inch has proactively redeployed the relevant contract as a precautionary measure, even though such redeployment represents extra security measures on top of standard practice (given that the contract utilizes v1 which is obsolete and no longer supported).

Incident overview

The incident involved a vulnerability in an older resolver implementation that enabled unintended transaction executions. This affected specific resolvers using an outdated version of Fusion v1 in their smart contracts (resolvers must use Fusion v2 to execute swaps with end users). The issue was highly complex and required a sophisticated exploitation method. While the direct impact was contained, the event underscores the need for all ecosystem participants to take proactive security measures.

This incident highlights the importance of prompt migration to newer, more secure protocol versions. This is especially true in open source environments like DeFi, where older, obsolete protocols, as with Fusion v1 in this case, may contain outdated and unsupported logic that can easily be exploited. The obsolete Fusion v1 contract was no longer supported, and Fusion v2 introduced security enhancements designed to mitigate such vulnerabilities. Whenever 1inch introduces a new version of its protocol, it advises all integration partners, including resolvers, to upgrade to the new version to ensure they receive the security protections offered by the newest version. Resolvers that continued using Fusion v1 without additional security checks increased their exposure to potential attacks. 

Lessons learned

Security in DeFi requires continuous adaptation and refinement. The following measures can help improve the resilience of smart contract infrastructure:

• Regular contract reviews and updates—keeping contract implementations up-to-date helps mitigate potential risks associated with evolving attack vectors.
• Stronger validation mechanisms—implementing stricter validation in contract logic ensures that only intended execution paths are followed.
• Enhanced monitoring and anomaly detection—proactively identifying irregular transaction patterns can help prevent and mitigate potential security risks.
• Secure integration practices—ensuring that resolver implementations align with the latest security standards helps maintain the integrity of smart contract interactions.

1inch continuously evaluates and strengthens its security measures, providing best practices for resolvers and integrators. As part of this effort, the team actively monitors security trends, works with auditors, and implements upgrades to prevent similar incidents. Security is a shared responsibility, and resolvers must ensure their contracts follow best practices and undergo independent audits before deployment.

Recommendations for resolvers

Resolvers play a crucial role in DeFi execution and should adopt security best  practices to enhance their robustness, for instance: 

• Maintain updated implementations—upgrading contracts to the latest secure versions minimizes exposures to known vulnerabilities.
• Implement execution safeguards—applying additional authentication checks and execution limits can reduce the likelihood of exploitation.
• Run continuous risk assessment—regular security checks and stress tests strengthen overall protocol security.
• Taka a collaborative approach to security —engaging with a broader security community can help identify and mitigate emerging threats early.

It is crucial to emphasize that resolvers bear the responsibility of securing their smart contract implementations. While 1inch provides open-source tools and protocol documentation, resolvers must conduct independent security assessments, implement additional protective measures, and ensure that they are deploying the latest, most secure versions of available protocols.

Conclusion

Smart contract security remains a priority in DeFi, and this incident serves as a reminder of the importance of proactive risk management. While the vulnerability was highly technical, its resolution reinforces the commitment of 1inch and its ecosystem partners to maintaining a secure trading environment.

For more technical details regarding the incident, refer to this post-mortem analysis by 1inch partner Decurity.

Disclaimer: The information and resources provided by 1inch are for informational and educational purposes only. The smart contract code shared by 1inch is open-source and provided “as is,” with no guarantees, warranties, or assurances of security or fitness for any specific use case. 1inch does not assume liability for third-party (including resolver) deployments, integrations, or potential vulnerabilities arising from the use of outdated or improperly secured versions of contracts. Resolvers and integrators are advised to conduct their own due diligence, security audits, and compliance assessments before implementing any solutions.