Carbon Tech discovers $520,000 exploit pass with rescue capabilities on 1 inch routers

Table of Contents

Carbontec’s investigation reveals that over $520,000 false tokens were quietly withdrawn from the 1-inch router v4-V6 via public features, exposing security blind spots in one of Defi’s most widely used contracts.

Design monitoring with 1-inch routers allows for the withdrawal of false funds

Blockchain security company Carbontec has revealed a critical design vulnerability in the 1inch Aggregated Router V6 Smart Contract, a key Defi protocol that drives token swaps for millions of users. problem? Anyone can pull out tokens that were incorrectly sent to the contract, not just the owner.

More than $520,000 in ciphers, including 4.2 WBTC (about 445K) in one transaction, have been moved by unrelated actors with router versions 4, 5 and 6, according to news and exclusive sharing on Bitcoin.com. These allow for spoofed transactions that effectively wash fund extraction under the guise of the use of routine protocols.

Rather than locking or getting it in just one inch, the false cent token has become a fair game for those with technical knowledge. This is not a coding bug, but a gas saving design trade-off that underestimates user behavior and overestimates the safety of obscure contracts.

Carbontec CTO Miroslav Baril shared some thoughts from the company’s research.

This is not just a one-inch problem. This is a systematic blind spot that could exist across other defi protocols. The assumption that the false token is irreparable or recoverable by the contract owner creates a sense of false security and security. Real-world risks often arise not only from code bugs, but also from design patterns. An important aspect of structural protocol design needs to balance security and misuse prevention.

According to Carbontec’s research, this issue affects not only one inch, but also Defi protocols that accept external contract input or expose internal swap callbacks. As hundreds of thousands of user funds were quietly sucked up, the investigation raises pressing questions about how the Defi protocol handles errors and who have real access to the user fund.