Source URL: https://www.rekt.news/1inch-rekt
Source: Rekt
Title: 1Inch – Rekt
Feedly Summary: One hacker transformed 1inch resolver contracts into a $5 million ATM through an integer underflow exploit – all with a negative 512 value. Attacker pocketed $450K as a “bounty" for exposing two years of an undetected vulnerability.
AI Summary and Description: Yes
Summary: This text discusses a significant security breach that occurred in 1inch’s deprecated code, highlighting vulnerabilities in smart contracts, specifically through an integer overflow exploit. It emphasizes the inadequacy of multiple audit teams in detecting basic vulnerabilities, raising concerns about the security protocols and auditing processes in the decentralized finance (DeFi) space.
Detailed Description:
The incident described centers around a $5 million exploitation of the 1inch protocol, particularly due to a vulnerability in its older smart contract code, _settleOrder, which was expected to be obsolete but was still exploitable.
– **Attack Overview**:
– An attacker utilized a simple arithmetic trick (integer underflow) to exploit the protocol. This trick was barely more complex than basic math but was overlooked by nine audit teams, leading to a massive financial loss for market makers.
– The hacker made a series of transactions that exploited the vulnerability, which was hidden in the contract’s design since it was left unchecked during audits.
– **Auditing Failure**:
– Despite multiple rounds of audits and thorough reviews, the inherent vulnerability remained undetected, emphasizing the limitations of current security practices within DeFi.
– The switch from Solidity to Yul in the smart contract coding introduced a memory overflow bug, which multiple audit teams failed to trace, demonstrating a significant gap in the auditing process.
– **Response and Recovery**:
– The attacker, after executing the heist, ironically negotiated with one of the affected market makers, suggesting a bounty payment as a form of reparations for the heist, which took the industry by surprise.
– Ultimately, the attacker returned most of the stolen funds while keeping a “finder’s fee,” reflecting a bizarre twist in the culture of crypto theft and recovery.
– **Implications for Security Practices**:
– This event raises fundamental questions about the effectiveness of audits in securing smart contracts and whether the industry is adequately learning from such breaches.
– The incident illustrates that vulnerabilities can remain undetected for years, raising alarm on the need for improved vigilance and proactive measures in code review processes.
– **Future Considerations**:
– The necessity for stronger security frameworks and better auditing practices in DeFi is critical, as traditional measures proved ineffective against this relatively simplistic attack method.
The narrative concludes with a sobering reminder that even in a space marked by advanced technology, foundational issues such as poor code practices and oversight can lead to catastrophic failures, necessitating a re-evaluation of security strategies employed within the blockchain and DeFi ecosystems.