TechFlow reports, according to the Decurity security team, that the 1inch protocol suffered a severe DeFi attack on March 5, 2025, at 5:00 PM UTC. The attacker exploited a callback option vulnerability in the legacy 1inch Settlement contract to extract funds.
The vulnerability originated from data corruption in order suffix processing, allowing the attacker to overwrite the parser address and invoke an arbitrary parser, resulting in fund losses for market maker TrustedVolumes. According to Decurity's analysis, this vulnerability was introduced during a code rewrite from Solidity to Yul in November 2022. Despite audits by multiple security firms, the flaw remained undetected in the system for over two years.
After the incident, the attacker sent an on-chain message asking, "Can I get a bounty?" and subsequently negotiated with the affected party, TrustedVolumes. Following successful negotiations, the attacker began returning funds on the evening of March 5 and ultimately returned all funds except the bounty by March 6 at 04:12 UTC.
As one of the audit teams for Fusion V1, Decurity conducted an internal review of this incident and summarized several lessons learned, including the need to clearly define threat models and audit scopes, allocate additional time for auditing code changes during the audit period, and verify deployed contracts.




