Design Oversight in 1inch Router Allowed Withdrawal of Mis-Sent Funds
Blockchain security firm Carbontec has uncovered a significant design vulnerability in 1inch’s Aggregation Router v6 smart contract, a key defi protocol that facilitates token swaps for millions of users. The issue? Anyone could withdraw tokens mistakenly sent to the contract, not just the owner.
According to an exclusive shared with Bitcoin.com News, more than $520,000 worth of crypto, including 4.2 WBTC (approximately $445K) in one transaction, was moved by unaffiliated actors across router versions 4, 5, and 6. The flaw stems from publicly accessible callback functions and the router’s logic that accepts user-defined swap pools. These allow for spoofed transactions that effectively launder fund extractions under the guise of routine protocol use.
Rather than being locked or retrievable only by 1inch, mis-sent tokens became fair game for anyone with technical knowledge. This is not a coding bug, but a gas-saving design tradeoff that underestimated user behavior and overestimated contract safety through obscurity.
Miroslav Baril, CTO at Carbontec, shared some thoughts from the company’s investigation.
This is not just a 1-inch issue; it’s a systemic blind spot that could be present across other defi protocols. The assumption that mis-sent tokens are either irretrievable or only recoverable by contract owners creates a false sense of security and safety. Real-world risks often emerge not only from bugs in code but also from design patterns. Critical aspects of structural protocol design must be balanced with security and misuse prevention.
Carbontec’s research shows this issue affects not just 1inch, but potentially any defi protocol that accepts external contract input or exposes internal swap callbacks. With hundreds of thousands in user funds quietly siphoned off, the investigation raises pressing questions about how defi protocols handle errors and who really has access to user funds.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
