Hacken
Audits
1inch
[PT] 1inch | API | Jan2026

1inch

Audit name:

[PT] 1inch | API | Jan2026

Date:

Feb 6, 2026

Table of Content

→Introduction

→Audit Summary

→System Overview

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Appendix 3. Additional Valuables

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the 1inch team for the collaborative engagement that enabled the execution of this Pentest.

1inch is a leading decentralized finance infrastructure platform that connects users and developers to the broader world of Web3 through advanced liquidity aggregation, optimized transaction routing, and a comprehensive suite of Web3 APIs. Originally known for its decentralized exchange aggregation technology that finds optimal swap routing across multiple liquidity sources, 1inch has expanded into 1inch Business, a developer-focused API platform designed to power DeFi products, wallets, and enterprise applications. With a focus on performance, security, and scalability, 1inch enables seamless integration of DeFi capabilities into applications and services, serving both individual users and institutional builders.

Document
Name	Pentest and Security Analysis Report for 1inch
Approved By	Stephen Ajayi
Website	https://1inch.com/→
Changelog	22/01/2026 - Preliminary Report
Changelog	06/02/2026 - Final Report
Platform	Web_API
Tags	Pentest, GrayBox
Methodology	https://docs.hacken.io/methodologies/pentesting→

Document
Name
Pentest and Security Analysis Report for 1inch
Approved By
Stephen Ajayi
Website
https://1inch.com/→
Changelog
22/01/2026 - Preliminary Report
Changelog
06/02/2026 - Final Report
Platform
Web_API
Tags
Pentest, GrayBox
Methodology
https://docs.hacken.io/methodologies/pentesting→

Review Scope
Api Documentation	https://business.1inch.com/portal/documentation/overview→

Review Scope
Api Documentation
https://business.1inch.com/portal/documentation/overview→

Protect your dApp with insights like these.

Audit Summary

4Total Findings

0Resolved

4Accepted

0Mitigated

4observation

The system users should acknowledge all the risks summed up in the risks section of the report

System Overview

1inch Business is a developer-centric Web3 API platform that provides a robust and scalable suite of APIs for decentralized finance and blockchain data. The platform is designed to simplify the integration of DeFi primitives and on-chain data into applications, allowing teams to build sophisticated crypto products without maintaining custom infrastructure. Whether for token swaps, real-time price feeds, transaction management, or portfolio insights, 1inch Business delivers reliable endpoints and tools that support diverse blockchain networks and use cases.

Key features:

Comprehensive Web3 APIs: Developers can access a full suite of APIs including Swap, Orderbook, Balance, Spot Price, Token, Transaction Gateway, Portfolio, Gas Price, NFT data, and Web3 RPC, among others, to power DeFi operations and analytics.
Multi-Chain Support: The platform supports multiple blockchain networks (e.g., Ethereum, BNB Chain, Polygon, Arbitrum, Optimism, Solana, and more), enabling seamless integration across ecosystems for cross-chain data and transaction routing.
Enterprise-Ready Infrastructure: Built with scale and reliability in mind, 1inch Business offers SLA-backed performance, high throughput rate limits, and enterprise features such as role-based access and secure API key management.
Optimized DeFi Functionality: Through advanced routing algorithms and deep liquidity access, the APIs help achieve optimal swap rates, low slippage outcomes, and efficient transaction execution—especially valuable for wallets, trading platforms, and analytics tools.
Developer Experience Tools: Rich documentation, code samples, SDKs, and live support facilitate quick onboarding and integration, making it easier to build, test, and scale Web3 applications.

Findings

Code ―	Title	Status	Severity
F-2026-1482	Legacy API Version Exposure in Swap Order Status Endpoint	accepted	Observation
F-2026-1482	Legacy Swap API Version Exposure in 1inch Classic Swap (Pathfinder) Endpoint	accepted	Observation
F-2026-1482	Improper Input Validation of orderHash Parameter in Order Events Endpoint	accepted	Observation
F-2026-1481	Lack of Input Validation for orderHashes Parameter in Swap Order Status API	accepted	Observation

1-4 of 4 findings

Uncover findings like these to secure your project.

Appendix 1. Severity Definitions

Findings are categorized based on their potential impact and assigned a severity level using the Common Vulnerability Scoring System (CVSS) version 4.0: →

Severity	Description
Critical	These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
High	These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Medium	These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Low	These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Severity
Critical
Description
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
High
Description
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
Medium
Description
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
Low
Description
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following:

Scope Details
API Documentation	https://business.1inch.com/portal/documentation/apis/swap/classic-swap/introduction→

Scope Details
API Documentation
https://business.1inch.com/portal/documentation/apis/swap/classic-swap/introduction→

Appendix 3. Additional Valuables

Frameworks and Methodologies

This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment →, the Penetration Testing Execution Standard (PTES) →, and the OWASP Testing Guide →. These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Extractor by Hacken