• bitcoinBitcoin (BTC) $ 118,734.00
  • ethereumEthereum (ETH) $ 3,174.57
  • xrpXRP (XRP) $ 2.98
  • tetherTether (USDT) $ 1.00
  • bnbBNB (BNB) $ 692.63
  • solanaSolana (SOL) $ 166.94
  • usd-coinUSDC (USDC) $ 0.999898
  • dogecoinDogecoin (DOGE) $ 0.201358
  • staked-etherLido Staked Ether (STETH) $ 3,171.97
  • tronTRON (TRX) $ 0.300641
  • cardanoCardano (ADA) $ 0.753292
  • hyperliquidHyperliquid (HYPE) $ 48.01
  • wrapped-bitcoinWrapped Bitcoin (WBTC) $ 118,597.00
  • stellarStellar (XLM) $ 0.473585
  • suiSui (SUI) $ 4.02
  • wrapped-stethWrapped stETH (WSTETH) $ 3,840.58
  • chainlinkChainlink (LINK) $ 16.55
  • hedera-hashgraphHedera (HBAR) $ 0.240633
  • bitcoin-cashBitcoin Cash (BCH) $ 497.74
  • avalanche-2Avalanche (AVAX) $ 22.04
  • wrapped-eethWrapped eETH (WEETH) $ 3,402.30
  • shiba-inuShiba Inu (SHIB) $ 0.000014
  • leo-tokenLEO Token (LEO) $ 8.83
  • the-open-networkToncoin (TON) $ 3.12
  • wethWETH (WETH) $ 3,174.27
  • litecoinLitecoin (LTC) $ 97.29
  • usdsUSDS (USDS) $ 0.999703
  • binance-bridged-usdt-bnb-smart-chainBinance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 0.999644
  • whitebitWhiteBIT Coin (WBT) $ 44.71
  • polkadotPolkadot (DOT) $ 4.12
  • moneroMonero (XMR) $ 332.27
  • coinbase-wrapped-btcCoinbase Wrapped BTC (CBBTC) $ 118,730.00
  • pepePepe (PEPE) $ 0.000013
  • uniswapUniswap (UNI) $ 9.14
  • ethena-usdeEthena USDe (USDE) $ 0.999987
  • bitget-tokenBitget Token (BGB) $ 4.68
  • aaveAave (AAVE) $ 330.41
  • bittensorBittensor (TAO) $ 439.39
  • daiDai (DAI) $ 1.00
  • aptosAptos (APT) $ 5.18
  • crypto-com-chainCronos (CRO) $ 0.107796
  • pi-networkPi Network (PI) $ 0.433520
  • nearNEAR Protocol (NEAR) $ 2.67
  • ethena-staked-usdeEthena Staked USDe (SUSDE) $ 1.18
  • ondo-financeOndo (ONDO) $ 0.949515
  • ethereum-classicEthereum Classic (ETC) $ 19.53
  • internet-computerInternet Computer (ICP) $ 5.52
  • okbOKB (OKB) $ 47.90
  • jito-staked-solJito Staked SOL (JITOSOL) $ 203.16
  • blackrock-usd-institutional-digital-liquidity-fundBlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
  • bonkBonk (BONK) $ 0.000034
  • mantleMantle (MNT) $ 0.729616
  • algorandAlgorand (ALGO) $ 0.285767
  • kaspaKaspa (KAS) $ 0.089728
  • pump-funPump.fun (PUMP) $ 0.006597
  • ethenaEthena (ENA) $ 0.364178
  • usd1-wlfiUSD1 (USD1) $ 0.999969
  • arbitrumArbitrum (ARB) $ 0.435977
  • vechainVeChain (VET) $ 0.025131
  • cosmosCosmos Hub (ATOM) $ 4.65
  • sei-networkSei (SEI) $ 0.368927
  • pudgy-penguinsPudgy Penguins (PENGU) $ 0.033409
  • polygon-ecosystem-tokenPOL (ex-MATIC) (POL) $ 0.231859
  • render-tokenRender (RENDER) $ 3.97
  • fetch-aiArtificial Superintelligence Alliance (FET) $ 0.766625
  • official-trumpOfficial Trump (TRUMP) $ 9.97
  • fasttokenFasttoken (FTN) $ 4.48
  • binance-peg-wethBinance-Peg WETH (WETH) $ 3,176.75
  • susdssUSDS (SUSDS) $ 1.06
  • gatechain-tokenGate (GT) $ 15.81
  • worldcoin-wldWorldcoin (WLD) $ 1.08
  • filecoinFilecoin (FIL) $ 2.62
  • lombard-staked-btcLombard Staked BTC (LBTC) $ 118,377.00
  • spx6900SPX6900 (SPX) $ 1.83
  • skySky (SKY) $ 0.079357
  • quant-networkQuant (QNT) $ 115.14
  • binance-staked-solBinance Staked SOL (BNSOL) $ 178.05
  • jupiter-exchange-solanaJupiter (JUP) $ 0.530015
  • jupiter-perpetuals-liquidity-provider-tokenJupiter Perpetuals Liquidity Provider Token (JLP) $ 4.80
  • kelp-dao-restaked-ethKelp DAO Restaked ETH (RSETH) $ 3,328.86
  • rocket-pool-ethRocket Pool ETH (RETH) $ 3,626.40
  • kucoin-sharesKuCoin (KCS) $ 11.66
  • usdtbUSDtb (USDTB) $ 1.00
  • first-digital-usdFirst Digital USD (FDUSD) $ 0.997889
  • celestiaCelestia (TIA) $ 1.96
  • usdt0USDT0 (USDT0) $ 1.00
  • nexoNEXO (NEXO) $ 1.31
  • story-2Story (IP) $ 4.45
  • injective-protocolInjective (INJ) $ 13.35
  • blockstackStacks (STX) $ 0.807128
  • xdce-crowd-saleXDC Network (XDC) $ 0.078096
  • fartcoinFartcoin (FARTCOIN) $ 1.27
  • optimismOptimism (OP) $ 0.714270
  • flare-networksFlare (FLR) $ 0.017541
  • stakewise-v3-osethStakeWise Staked ETH (OSETH) $ 3,335.68
  • sonic-3Sonic (S) $ 0.371730
  • mantle-staked-etherMantle Staked Ether (METH) $ 3,388.21
  • solv-btcSolv Protocol BTC (SOLVBTC) $ 118,541.00
  • virtual-protocolVirtuals Protocol (VIRTUAL) $ 1.69
  • dogwifcoindogwifhat (WIF) $ 1.11
  • curve-dao-tokenCurve DAO (CRV) $ 0.794464
  • polygon-bridged-usdt-polygonPolygon Bridged USDT (Polygon) (USDT) $ 1.00
  • renzo-restaked-ethRenzo Restaked ETH (EZETH) $ 3,355.28
  • flokiFLOKI (FLOKI) $ 0.000109
  • liquid-staked-ethereumLiquid Staked ETH (LSETH) $ 3,434.35
  • immutable-xImmutable (IMX) $ 0.540719
  • the-graphThe Graph (GRT) $ 0.103145
  • binance-bridged-usdc-bnb-smart-chainBinance Bridged USDC (BNB Smart Chain) (USDC) $ 0.999790
  • arbitrum-bridged-wbtc-arbitrum-oneArbitrum Bridged WBTC (Arbitrum One) (WBTC) $ 118,569.00
  • pax-goldPAX Gold (PAXG) $ 3,343.72
  • clbtcclBTC (CLBTC) $ 120,006.00
  • syrupusdcSyrupUSDC (SYRUPUSDC) $ 1.11
  • wbnbWrapped BNB (WBNB) $ 692.54
  • kaiaKaia (KAIA) $ 0.152168
  • vaultaVaulta (A) $ 0.556358
  • ethereum-name-serviceEthereum Name Service (ENS) $ 26.25
  • jupiter-staked-solJupiter Staked SOL (JUPSOL) $ 187.63
  • iotaIOTA (IOTA) $ 0.223112
  • pancakeswap-tokenPancakeSwap (CAKE) $ 2.46
  • paypal-usdPayPal USD (PYUSD) $ 1.00
  • theta-tokenTheta Network (THETA) $ 0.834074
  • msolMarinade Staked SOL (MSOL) $ 218.52
  • tether-goldTether Gold (XAUT) $ 3,334.54
  • lido-daoLido DAO (LDO) $ 0.910691
  • jasmycoinJasmyCoin (JASMY) $ 0.016671
  • galaGALA (GALA) $ 0.017743
  • raydiumRaydium (RAY) $ 2.95
  • the-sandboxThe Sandbox (SAND) $ 0.313661
  • aerodrome-financeAerodrome Finance (AERO) $ 0.887680
  • superstate-short-duration-us-government-securities-fund-ustbSuperstate Short Duration U.S. Government Securities Fund (USTB) (USTB) $ 10.75
  • saros-financeSaros (SAROS) $ 0.275448
  • zcashZcash (ZEC) $ 44.14
  • pyth-networkPyth Network (PYTH) $ 0.123198
  • ousgOUSG (OUSG) $ 111.81
  • mantle-restaked-ethMantle Restaked ETH (CMETH) $ 3,391.13
  • super-oethSuper OETH (SUPEROETH) $ 3,178.76
  • jito-governance-tokenJito (JTO) $ 1.93
  • bittorrentBitTorrent (BTT) $ 0.00000069
  • pendlePendle (PENDLE) $ 4.16
  • tezosTezos (XTZ) $ 0.648767
  • usdx-money-usdxStables Labs USDX (USDX) $ 0.998441
  • mog-coinMog Coin (MOG) $ 0.000002
  • cgeth-hashkey-cloudcgETH Hashkey Cloud (CGETH.HASH) $ 3,311.99
  • memecoreMemeCore (M) $ 0.396855
  • morphoMorpho (MORPHO) $ 2.05
  • tbtctBTC (TBTC) $ 118,571.00
  • falcon-financeFalcon USD (USDF) $ 0.999929
  • walrus-2Walrus (WAL) $ 0.464276
  • chain-2Onyxcoin (XCN) $ 0.018863
  • flowFlow (FLOW) $ 0.398611
  • ondo-us-dollar-yieldOndo US Dollar Yield (USDY) $ 1.09
  • decentralandDecentraland (MANA) $ 0.315743
  • l2-standard-bridged-weth-baseL2 Standard Bridged WETH (Base) (WETH) $ 3,171.32
  • newton-projectAB (AB) $ 0.008759
  • telcoinTelcoin (TEL) $ 0.006415
  • based-brettBrett (BRETT) $ 0.059119
  • solv-protocol-solvbtc-bbnSolv Protocol Staked BTC (XSOLVBTC) $ 118,373.00
  • usual-usdUsual USD (USD0) $ 0.997771
  • bitcoin-svBitcoin SV (BSV) $ 29.59
  • heliumHelium (HNT) $ 3.11
  • wrapped-hypeWrapped HYPE (WHYPE) $ 48.01
  • bitcoin-avalanche-bridged-btc-bAvalanche Bridged BTC (Avalanche) (BTC.B) $ 118,804.00
  • coredaoorgCore (CORE) $ 0.549527
  • thorchainTHORChain (RUNE) $ 1.57
  • arbitrum-bridged-weth-arbitrum-oneArbitrum Bridged WETH (Arbitrum One) (WETH) $ 3,174.71
  • apecoinApeCoin (APE) $ 0.659403
  • conflux-tokenConflux (CFX) $ 0.102826
  • staked-hypeStaked HYPE (STHYPE) $ 47.97
  • ripple-usdRipple USD (RLUSD) $ 0.999910
  • usddUSDD (USDD) $ 1.00
  • binance-peg-dogecoinBinance-Peg Dogecoin (DOGE) $ 0.201660
  • beldexBeldex (BDX) $ 0.071689
  • starknetStarknet (STRK) $ 0.141443
  • build-onBUILDon (B) $ 0.499248
  • syrupMaple Finance (SYRUP) $ 0.465410
  • savings-daiSavings Dai (SDAI) $ 1.16
  • stader-ethxStader ETHx (ETHX) $ 3,378.29
  • true-usdTrueUSD (TUSD) $ 0.998599
  • reserve-rights-tokenReserve Rights (RSR) $ 0.008341
  • arweaveArweave (AR) $ 7.39
  • dydx-chaindYdX (DYDX) $ 0.639754
  • deepDeepBook (DEEP) $ 0.191503
  • ether-fiEther.fi (ETHFI) $ 1.27
  • 1inch1inch (1INCH) $ 0.339064
  • venomVenom (VENOM) $ 0.226407
  • aioz-networkAIOZ Network (AIOZ) $ 0.396498
  • kavaKava (KAVA) $ 0.430686
  • compound-governance-tokenCompound (COMP) $ 49.48
  • coinbase-wrapped-staked-ethCoinbase Wrapped Staked ETH (CBETH) $ 3,504.10
  • neoNEO (NEO) $ 6.51
  • elrond-erd-2MultiversX (EGLD) $ 16.01
  • eigenlayerEigenCloud (prev. EigenLayer) (EIGEN) $ 1.44
  • dexeDeXe (DEXE) $ 7.86
  • apenftAPENFT (NFT) $ 0.00000045
  • ether-fi-staked-ethether.fi Staked ETH (EETH) $ 3,177.30
  • ecasheCash (XEC) $ 0.000022
  • dog-go-to-the-moon-runeDog (Bitcoin) (DOG) $ 0.004355
  • zksyncZKsync (ZK) $ 0.059416
  • axie-infinityAxie Infinity (AXS) $ 2.57
  • swethSwell Ethereum (SWETH) $ 3,477.41
Bitcoin

Carbontec Uncovers $520,000 Exploit Path in 1inch Router’s Rescue Function

By admin
0 3

Carbontec Uncovers $520,000 Exploit Path in 1inch Router’s Rescue Function

A Carbontec investigation revealed that over $520,000 in mis-sent tokens were quietly withdrawn from 1inch Routers v4–v6 via public functions, exposing a security blind spot in one of defi’s most widely used contracts.

Design Oversight in 1inch Router Allowed Withdrawal of Mis-Sent Funds

Blockchain security firm Carbontec has uncovered a significant design vulnerability in 1inch’s Aggregation Router v6 smart contract, a key defi protocol that facilitates token swaps for millions of users. The issue? Anyone could withdraw tokens mistakenly sent to the contract, not just the owner.

According to an exclusive shared with Bitcoin.com News, more than $520,000 worth of crypto, including 4.2 WBTC (approximately $445K) in one transaction, was moved by unaffiliated actors across router versions 4, 5, and 6. The flaw stems from publicly accessible callback functions and the router’s logic that accepts user-defined swap pools. These allow for spoofed transactions that effectively launder fund extractions under the guise of routine protocol use.

Rather than being locked or retrievable only by 1inch, mis-sent tokens became fair game for anyone with technical knowledge. This is not a coding bug, but a gas-saving design tradeoff that underestimated user behavior and overestimated contract safety through obscurity.

Miroslav Baril, CTO at Carbontec, shared some thoughts from the company’s investigation.

This is not just a 1-inch issue; it’s a systemic blind spot that could be present across other defi protocols. The assumption that mis-sent tokens are either irretrievable or only recoverable by contract owners creates a false sense of security and safety. Real-world risks often emerge not only from bugs in code but also from design patterns. Critical aspects of structural protocol design must be balanced with security and misuse prevention.

Carbontec’s research shows this issue affects not just 1inch, but potentially any defi protocol that accepts external contract input or exposes internal swap callbacks. With hundreds of thousands in user funds quietly siphoned off, the investigation raises pressing questions about how defi protocols handle errors and who really has access to user funds.

Source

admin 16524 posts 0 comments
You might also like More from author

Leave A Reply

Your email address will not be published.

Verified by MonsterInsights