• bitcoinBitcoin (BTC) $ 103,943.00
  • ethereumEthereum (ETH) $ 3,505.76
  • tetherTether (USDT) $ 0.999758
  • xrpXRP (XRP) $ 2.27
  • bnbBNB (BNB) $ 951.15
  • usd-coinUSDC (USDC) $ 0.999695
  • staked-etherLido Staked Ether (STETH) $ 3,506.17
  • tronTRON (TRX) $ 0.281064
  • dogecoinDogecoin (DOGE) $ 0.165109
  • cardanoCardano (ADA) $ 0.541266
  • wrapped-stethWrapped stETH (WSTETH) $ 4,272.81
  • figure-helocFigure Heloc (FIGR_HELOC) $ 1.01
  • wrapped-bitcoinWrapped Bitcoin (WBTC) $ 104,151.00
  • wrapped-beacon-ethWrapped Beacon ETH (WBETH) $ 3,791.71
  • chainlinkChainlink (LINK) $ 15.03
  • hyperliquidHyperliquid (HYPE) $ 37.53
  • bitcoin-cashBitcoin Cash (BCH) $ 497.34
  • usdsUSDS (USDS) $ 0.999925
  • wrapped-eethWrapped eETH (WEETH) $ 3,787.12
  • ethena-usdeEthena USDe (USDE) $ 0.999349
  • binance-bridged-usdt-bnb-smart-chainBinance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 0.999465
  • stellarStellar (XLM) $ 0.276556
  • leo-tokenLEO Token (LEO) $ 9.49
  • wethWETH (WETH) $ 3,510.49
  • whitebitWhiteBIT Coin (WBT) $ 52.72
  • suiSui (SUI) $ 2.05
  • coinbase-wrapped-btcCoinbase Wrapped BTC (CBBTC) $ 103,967.00
  • hedera-hashgraphHedera (HBAR) $ 0.174932
  • avalanche-2Avalanche (AVAX) $ 16.61
  • zcashZcash (ZEC) $ 411.63
  • litecoinLitecoin (LTC) $ 86.59
  • moneroMonero (XMR) $ 337.66
  • shiba-inuShiba Inu (SHIB) $ 0.000009
  • ethena-staked-usdeEthena Staked USDe (SUSDE) $ 1.20
  • the-open-networkToncoin (TON) $ 1.97
  • daiDai (DAI) $ 0.999854
  • usdt0USDT0 (USDT0) $ 0.999642
  • crypto-com-chainCronos (CRO) $ 0.125703
  • polkadotPolkadot (DOT) $ 2.59
  • mantleMantle (MNT) $ 1.23
  • bittensorBittensor (TAO) $ 418.69
  • memecoreMemeCore (M) $ 2.33
  • susdssUSDS (SUSDS) $ 1.07
  • uniswapUniswap (UNI) $ 5.18
  • aaveAave (AAVE) $ 196.56
  • world-liberty-financialWorld Liberty Financial (WLFI) $ 0.109779
  • usd1-wlfiUSD1 (USD1) $ 0.998553
  • blackrock-usd-institutional-digital-liquidity-fundBlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
  • paypal-usdPayPal USD (PYUSD) $ 0.999914
  • bitget-tokenBitget Token (BGB) $ 3.96
  • okbOKB (OKB) $ 131.48
  • internet-computerInternet Computer (ICP) $ 5.09
  • nearNEAR Protocol (NEAR) $ 1.88
  • pepePepe (PEPE) $ 0.000006
  • ethenaEthena (ENA) $ 0.322696
  • ethereum-classicEthereum Classic (ETC) $ 14.82
  • jito-staked-solJito Staked SOL (JITOSOL) $ 199.67
  • binance-peg-wethBinance-Peg WETH (WETH) $ 3,506.52
  • falcon-financeFalcon USD (USDF) $ 0.994055
  • jupiter-perpetuals-liquidity-provider-tokenJupiter Perpetuals Liquidity Provider Token (JLP) $ 5.07
  • tether-goldTether Gold (XAUT) $ 3,991.97
  • solanaWrapped SOL (SOL) $ 161.11
  • aptosAptos (APT) $ 2.74
  • ondo-financeOndo (ONDO) $ 0.606852
  • pi-networkPi Network (PI) $ 0.226034
  • aster-2Aster (ASTER) $ 0.921697
  • usdtbUSDtb (USDTB) $ 0.998893
  • polygon-ecosystem-tokenPOL (ex-MATIC) (POL) $ 0.167114
  • htx-daoHTX DAO (HTX) $ 0.000002
  • worldcoin-wldWorldcoin (WLD) $ 0.711783
  • dashDash (DASH) $ 131.39
  • kucoin-sharesKuCoin (KCS) $ 12.26
  • rocket-pool-ethRocket Pool ETH (RETH) $ 4,031.72
  • hash-2Provenance Blockchain (HASH) $ 0.029494
  • binance-staked-solBinance Staked SOL (BNSOL) $ 173.95
  • arbitrumArbitrum (ARB) $ 0.262133
  • official-trumpOfficial Trump (TRUMP) $ 7.21
  • gatechain-tokenGate (GT) $ 11.97
  • algorandAlgorand (ALGO) $ 0.158145
  • pump-funPump.fun (PUMP) $ 0.003861
  • syrupusdtsyrupUSDT (SYRUPUSDT) $ 1.10
  • kelp-dao-restaked-ethKelp DAO Restaked ETH (RSETH) $ 3,702.59
  • pax-goldPAX Gold (PAXG) $ 3,985.47
  • stakewise-v3-osethStakeWise Staked ETH (OSETH) $ 3,686.62
  • bfusdBFUSD (BFUSD) $ 0.999510
  • kinetic-staked-hypeKinetiq Staked HYPE (KHYPE) $ 37.63
  • syrupusdcsyrupUSDC (SYRUPUSDC) $ 1.13
  • lombard-staked-btcLombard Staked BTC (LBTC) $ 104,015.00
  • ignition-fbtcFunction FBTC (FBTC) $ 104,425.00
  • liquid-staked-ethereumLiquid Staked ETH (LSETH) $ 3,760.79
  • wbnbWrapped BNB (WBNB) $ 950.64
  • vechainVeChain (VET) $ 0.014423
  • cosmosCosmos Hub (ATOM) $ 2.55
  • kaspaKaspa (KAS) $ 0.045118
  • story-2Story (IP) $ 3.70
  • skySky (SKY) $ 0.051061
  • binance-bridged-usdc-bnb-smart-chainBinance Bridged USDC (BNB Smart Chain) (USDC) $ 0.999504
  • jupiter-exchange-solanaJupiter (JUP) $ 0.348287
  • renzo-restaked-ethRenzo Restaked ETH (EZETH) $ 3,728.68
  • flare-networksFlare (FLR) $ 0.013772
  • quant-networkQuant (QNT) $ 73.65
  • nexoNEXO (NEXO) $ 1.06
  • solv-btcSolv Protocol BTC (SOLVBTC) $ 104,098.00
  • filecoinFilecoin (FIL) $ 1.46
  • ripple-usdRipple USD (RLUSD) $ 0.999467
  • render-tokenRender (RENDER) $ 1.95
  • global-dollarGlobal Dollar (USDG) $ 0.999727
  • sei-networkSei (SEI) $ 0.160568
  • first-digital-usdFirst Digital USD (FDUSD) $ 0.999213
  • xdce-crowd-saleXDC Network (XDC) $ 0.054006
  • pudgy-penguinsPudgy Penguins (PENGU) $ 0.014785
  • bonkBonk (BONK) $ 0.000012
  • virtual-protocolVirtuals Protocol (VIRTUAL) $ 1.35
  • mantle-staked-etherMantle Staked Ether (METH) $ 3,780.37
  • fasttokenFasttoken (FTN) $ 2.01
  • morphoMorpho (MORPHO) $ 1.62
  • arbitrum-bridged-wbtc-arbitrum-oneArbitrum Bridged WBTC (Arbitrum One) (WBTC) $ 104,194.00
  • immutable-xImmutable (IMX) $ 0.426311
  • clbtcclBTC (CLBTC) $ 104,919.00
  • hashnote-usycCircle USYC (USYC) $ 1.10
  • superstate-short-duration-us-government-securities-fund-ustbSuperstate Short Duration U.S. Government Securities Fund (USTB) (USTB) $ 10.88
  • ousgOUSG (OUSG) $ 113.16
  • jupiter-staked-solJupiter Staked SOL (JUPSOL) $ 184.72
  • pancakeswap-tokenPancakeSwap (CAKE) $ 2.20
  • aerodrome-financeAerodrome Finance (AERO) $ 0.821099
  • ondo-us-dollar-yieldOndo US Dollar Yield (USDY) $ 1.11
  • cgeth-hashkey-cloudcgETH Hashkey Cloud (CGETH.HASH) $ 3,441.29
  • usdx-money-usdxStables Labs USDX (USDX) $ 0.998396
  • optimismOptimism (OP) $ 0.359846
  • celestiaCelestia (TIA) $ 0.804269
  • decredDecred (DCR) $ 39.05
  • lido-daoLido DAO (LDO) $ 0.733739
  • blockstackStacks (STX) $ 0.362882
  • msolMarinade Staked SOL (MSOL) $ 214.93
  • injective-protocolInjective (INJ) $ 6.67
  • l2-standard-bridged-weth-baseL2 Standard Bridged WETH (Base) (WETH) $ 3,505.98
  • tbtctBTC (TBTC) $ 104,161.00
  • ether-fi-liquid-ethEther.Fi Liquid ETH (LIQUIDETH) $ 3,697.82
  • beldexBeldex (BDX) $ 0.080863
  • curve-dao-tokenCurve DAO (CRV) $ 0.418572
  • the-graphThe Graph (GRT) $ 0.056150
  • arbitrum-bridged-weth-arbitrum-oneArbitrum Bridged WETH (Arbitrum One) (WETH) $ 3,509.31
  • bridged-usdc-polygon-pos-bridgePolygon Bridged USDC (Polygon PoS) (USDC.E) $ 0.999693
  • spx6900SPX6900 (SPX) $ 0.621054
  • usdaiUSDai (USDAI) $ 1.00
  • flokiFLOKI (FLOKI) $ 0.000060
  • polygon-pos-bridged-dai-polygon-posPolygon PoS Bridged DAI (Polygon POS) (DAI) $ 0.999782
  • tezosTezos (XTZ) $ 0.524698
  • usual-usdUsual USD (USD0) $ 0.997938
  • stader-ethxStader ETHx (ETHX) $ 3,766.60
  • fetch-aiArtificial Superintelligence Alliance (FET) $ 0.207880
  • gtethGTETH (GTETH) $ 3,509.98
  • doublezeroDoubleZero (2Z) $ 0.155259
  • pyth-networkPyth Network (PYTH) $ 0.093230
  • kaiaKaia (KAIA) $ 0.090278
  • iotaIOTA (IOTA) $ 0.125846
  • mantle-bridged-usdt-mantleMantle Bridged USDT (Mantle) (USDT) $ 0.998705
  • true-usdTrueUSD (TUSD) $ 0.997982
  • steakhouse-usdc-morpho-vaultSteakhouse USDC Morpho Vault (STEAKUSDC) $ 1.11
  • bitcoin-avalanche-bridged-btc-bAvalanche Bridged BTC (Avalanche) (BTC.B) $ 104,147.00
  • coinbase-wrapped-staked-ethCoinbase Wrapped Staked ETH (CBETH) $ 3,859.40
  • plasmaPlasma (XPL) $ 0.255717
  • cognifyCognify (SN115) $ 1,762.47
  • trust-wallet-tokenTrust Wallet (TWT) $ 1.16
  • starknetStarknet (STRK) $ 0.104455
  • ether-fiEther.fi (ETHFI) $ 0.837455
  • swethSwell Ethereum (SWETH) $ 3,870.60
  • newton-projectAB (AB) $ 0.005483
  • sbtc-2sBTC (SBTC) $ 103,558.00
  • conflux-tokenConflux (CFX) $ 0.088536
  • sonic-3Sonic (S) $ 0.119541
  • pendlePendle (PENDLE) $ 2.65
  • bitcoin-svBitcoin SV (BSV) $ 22.15
  • humanityHumanity (H) $ 0.241106
  • the-sandboxThe Sandbox (SAND) $ 0.179736
  • bittorrentBitTorrent (BTT) $ 0.00000044
  • ether-fi-staked-ethether.fi Staked ETH (EETH) $ 3,502.01
  • ethereum-name-serviceEthereum Name Service (ENS) $ 13.03
  • syrupMaple Finance (SYRUP) $ 0.384468
  • ghoGHO (GHO) $ 0.998178
  • binance-peg-dogecoinBinance-Peg Dogecoin (DOGE) $ 0.165127
  • ark-3ARK (ARK) $ 39.74
  • usddUSDD (USDD) $ 1.00
  • dogwifcoindogwifhat (WIF) $ 0.415817
  • theta-tokenTheta Network (THETA) $ 0.414274
  • heliumHelium (HNT) $ 2.21
  • sun-tokenSun Token (SUN) $ 0.021405
  • jasmycoinJasmyCoin (JASMY) $ 0.008415
  • galaGALA (GALA) $ 0.008790
  • wrapped-hypeWrapped HYPE (WHYPE) $ 37.63
  • usdbUSDB (USDB) $ 0.999114
  • vaultaVaulta (A) $ 0.252877
  • satoshi-stablecoinSatoshi Stablecoin (SATUSD) $ 0.999436
  • arbitrum-bridged-wrapped-eethArbitrum Bridged Wrapped eETH (Arbitrum) (WEETH) $ 3,784.21
  • apenftAINFT (NFT) $ 0.00000040
  • decentralandDecentraland (MANA) $ 0.204733
  • zksyncZKsync (ZK) $ 0.055185
  • flowFlow (FLOW) $ 0.239008
  • benqi-liquid-staked-avaxBENQI Liquid Staked AVAX (SAVAX) $ 20.47
  • eutblSpiko EU T-Bills Money Market Fund (EUTBL) $ 1.20

Carbontec Uncovers $520,000 Exploit Path in 1inch Router’s Rescue Function

Bitcoin
By admin
0 50

Carbontec Uncovers $520,000 Exploit Path in 1inch Router’s Rescue Function

A Carbontec investigation revealed that over $520,000 in mis-sent tokens were quietly withdrawn from 1inch Routers v4–v6 via public functions, exposing a security blind spot in one of defi’s most widely used contracts.

Design Oversight in 1inch Router Allowed Withdrawal of Mis-Sent Funds

Blockchain security firm Carbontec has uncovered a significant design vulnerability in 1inch’s Aggregation Router v6 smart contract, a key defi protocol that facilitates token swaps for millions of users. The issue? Anyone could withdraw tokens mistakenly sent to the contract, not just the owner.

According to an exclusive shared with Bitcoin.com News, more than $520,000 worth of crypto, including 4.2 WBTC (approximately $445K) in one transaction, was moved by unaffiliated actors across router versions 4, 5, and 6. The flaw stems from publicly accessible callback functions and the router’s logic that accepts user-defined swap pools. These allow for spoofed transactions that effectively launder fund extractions under the guise of routine protocol use.

Related Posts

Bitcoin Breakdown Begins — On-Chain Signals Say…

0

Berachain Halts Network to Contain Balancer-Linked…

1

Rather than being locked or retrievable only by 1inch, mis-sent tokens became fair game for anyone with technical knowledge. This is not a coding bug, but a gas-saving design tradeoff that underestimated user behavior and overestimated contract safety through obscurity.

Miroslav Baril, CTO at Carbontec, shared some thoughts from the company’s investigation.

This is not just a 1-inch issue; it’s a systemic blind spot that could be present across other defi protocols. The assumption that mis-sent tokens are either irretrievable or only recoverable by contract owners creates a false sense of security and safety. Real-world risks often emerge not only from bugs in code but also from design patterns. Critical aspects of structural protocol design must be balanced with security and misuse prevention.

Carbontec’s research shows this issue affects not just 1inch, but potentially any defi protocol that accepts external contract input or exposes internal swap callbacks. With hundreds of thousands in user funds quietly siphoned off, the investigation raises pressing questions about how defi protocols handle errors and who really has access to user funds.

Source

admin 4704 posts 0 comments
You might also like More from author

Leave A Reply

Your email address will not be published.