1inch Loses $5 Million In Hack Targeting Outdated Fusion V1

Decentralized exchange aggregator 1inch lost $5 million after a hacker exploited a vulnerability in its outdated Fusion v1 implementation, the platform confirmed.

On March 5, 1inch identified the issue affecting resolvers—entities responsible for filling orders—before making it public a day later. Blockchain security firm SlowMist later traced the stolen funds to 2.4 million USDC and 1,276 Wrapped Ether (WETH).

1inch assured that end-user funds remain safe, with only resolvers running Fusion v1 impacted. The platform is now working with affected parties to secure systems and has launched bug bounty programs to uncover and fix other potential vulnerabilities.

Recovering the stolen funds seems unlikely unless the hacker agrees to return them. Some previous attacks resulted in partial recoveries, with hackers keeping 10% as a white hat bounty, similar to what happened with crypto lender Shezmu. However, other cases, like the $1.5 billion Bybit hack, have shown that recovery efforts don’t always succeed.

The Bybit hackers, linked to North Korea, laundered $1.4 billion in crypto within 10 days, using cross-chain swaps and mixers to obscure the trail. Some funds may still be traceable, according to Cyvers CEO Deddy Lavid, who noted that security firms leveraging onchain intelligence and AI models still have small windows to track and freeze assets.

Following the Bybit hack, THORChain, a cross-chain swap protocol reportedly used by the attackers, saw a surge in activity. By Feb. 27, swap volumes on THORChain surpassed $1 billion, and by March 4, the protocol generated $5 million in fees, with a total volume reaching $5.4 billion.

The situation prompted Bybit to file a proposal urging decentralized finance (DeFi) protocol ParaSwap to return fees collected from swaps involving funds stolen by the Lazarus Group.

The proposal was posted in ParaSwap’s DAO forum and requested the return of 44.67 Wrapped Ether (wETH)—worth nearly $100,000—to a specified wallet.

Skepticism surrounded the request, with DAO members demanding verification before considering it. Bybit responded on March 5, posting on X to confirm its involvement.

The situation triggered a wider debate in the ParaSwap community, with members weighing the consequences of complying with the request. Some argue that retaining the funds could attract regulatory scrutiny, while others warn that issuing a refund could set a risky precedent for DeFi protocols.

DeFi researcher and ParaSwap DAO delegate Ignas highlighted the dilemma, stating that while returning the funds might reflect well on the DAO and avoid legal trouble, it could also undermine the DeFi principle of “code is law.”

“The DAO earned the fees legitimately via smart contracts. If funds are returned now, what about future cases? Sets a dangerous precedent,” Ignas said.