BlockBeats News, March 9, after the 1inch team discovered a vulnerability in its legacy Fusion v1 parser smart contract on March 7, causing losses of about 2.4 million USDC and 1,276 WETH, totaling more than $5 million. The only thing that is compromised is the parser contract using Fusion v1. According to a post-mortem report by the Decurity security team, the vulnerability existed in code that was rewritten from Solidity to Yul in November 2022 and remained in the system for more than two years despite being audited by multiple security teams. After the incident, the attacker asks “Can I get a bounty” via an on-chain message, and then negotiates with the victim, TrustedVolumes. After successful negotiations, the attackers began returning the funds on the evening of March 5, and finally returned all of the funds except the bounty at 4:12 AM UTC on March 6. Decurity, as part of the Fusion V1 audit team, conducted an internal investigation into the incident and learned several lessons, including clarifying the threat model and audit scope, requiring additional time for code changes during the audit, validating deployed contracts, and more.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
