Carbontec Uncovers $520,000 Exploit Path in 1inch Router’s Rescue Function

A Carbontec investigation revealed that over $520,000 in mis-sent tokens were quietly withdrawn from 1inch Routers v4–v6 via public functions, exposing a security blind spot in one of defi’s most widely used contracts.

Design Oversight in 1inch Router Allowed Withdrawal of Mis-Sent Funds

Blockchain security firm Carbontec has uncovered a significant design vulnerability in 1inch’s Aggregation Router v6 smart contract, a key defi protocol that facilitates token swaps for millions of users. The issue? Anyone could withdraw tokens mistakenly sent to the contract, not just the owner.

According to an exclusive shared with Bitcoin.com News, more than $520,000 worth of crypto, including 4.2 WBTC (approximately $445K) in one transaction, was moved by unaffiliated actors across router versions 4, 5, and 6. The flaw stems from publicly accessible callback functions and the router’s logic that accepts user-defined swap pools. These allow for spoofed transactions that effectively launder fund extractions under the guise of routine protocol use.

Rather than being locked or retrievable only by 1inch, mis-sent tokens became fair game for anyone with technical knowledge. This is not a coding bug, but a gas-saving design tradeoff that underestimated user behavior and overestimated contract safety through obscurity.

Miroslav Baril, CTO at Carbontec, shared some thoughts from the company’s investigation.

This is not just a 1-inch issue; it’s a systemic blind spot that could be present across other defi protocols. The assumption that mis-sent tokens are either irretrievable or only recoverable by contract owners creates a false sense of security and safety. Real-world risks often emerge not only from bugs in code but also from design patterns. Critical aspects of structural protocol design must be balanced with security and misuse prevention.

Carbontec’s research shows this issue affects not just 1inch, but potentially any defi protocol that accepts external contract input or exposes internal swap callbacks. With hundreds of thousands in user funds quietly siphoned off, the investigation raises pressing questions about how defi protocols handle errors and who really has access to user funds.

Source