Investigation Reveals Vulnerability in 1inch Aggregation Router
A recent investigation by the blockchain security company Carbontec has brought to light a troubling vulnerability within the 1inch Aggregation Router v6, a pivotal protocol widely utilized for token swaps in decentralized finance (DeFi). This flaw has allowed more than half a million dollars in erroneously transmitted tokens to be withdrawn by unauthorized individuals through features designed for public use, highlighting a significant oversight in contract security.
Details of the Vulnerability
The report, detailed in a revelation shared with Bitcoin.com News, indicates that over $520,000 worth of cryptocurrency, including a notable transaction involving 4.2 WBTC valued at approximately $445,000, has been improperly extracted by parties unrelated to the protocol. The root of the issue lies in the existence of open callback functions within the contract’s design, combined with the router’s tendency to accept user-defined swap pools. This combination has enabled individuals to conduct illicit transactions that can disguise the withdrawal of funds as routine contract operations.
Implications of the Design Flaw
Instead of locking misdirected tokens or restricting access solely to the 1inch team, the current system allows anyone versed in the technicalities to lay claim to these assets. It’s important to note that this problem is not a mere oversight or bug in the code, but rather a strategic design decision focused on saving gas costs, which inadvertently overlooked user interactions and overestimated the security provided by obscurity.
Broader Concerns in DeFi
Miroslav Baril, the Chief Technology Officer at Carbontec, emphasized that the oversight represents a broader concern affecting not only 1inch but potentially many other DeFi projects. The common misconception that mistakenly sent tokens are either permanently lost or solely recoverable by contract owners has contributed to a misleading sense of security in the DeFi space.
Baril pointed out that actual risks do not solely stem from coding errors but can also arise from the inherent design choices of protocols. Carbontec’s findings indicate that this vulnerability may exist across various DeFi protocols that accept inputs from external contracts or reveal internal callback functions. With significant amounts of user funds being quietly siphoned off due to this security gap, the investigation calls into serious question the methodologies employed by DeFi protocols in managing errors and safeguarding users’ assets.
