Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • 1inch
  • [SCA] 1INCH / DEX / Nov2020
1INCH logo

1INCH

Audit name:

[SCA] 1INCH / DEX / Nov2020

Date:

Nov 5, 2020

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the 1INCH team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

1inch employs a mix of Web3 blockchain analytics and security services, Web2 detection and takedown services, optional user account creation services and suspicious activity reporting services.

Document

NameSmart Contract Code Review and Security Analysis Report for 1INCH
Audited ByHacken
Changelog04/01/2020 - Final Report
PlatformEthereum, NEAR, BNB Chain, Polygon, Avalanche
LanguageSolidity
TagsDEX Aggregator
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for 1INCH
    Audited By
    Hacken
    Changelog
    04/01/2020 - Final Report
    Platform
    Ethereum, NEAR, BNB Chain, Polygon, Avalanche
    Language
    Solidity
    Tags
    DEX Aggregator
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://github.com/CryptoManiacsZone/1inch-contract/
Commitaa1d1c54546f38b912a24722134ab0c2ae94860d

Audit Summary

1Total Findings
0Resolved
0Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

System Overview

ASIS overview

OneInchFlagssol

Description

OneInchFlags is a library contract used to decode flags used during an exchange process.

GasDiscountCalculatorsol

Description

GasDiscountCalculator is a contract used for calculation of a CHI discount.

RevertReasonParsersol

Description

RevertReasonParser is a library used to parse error reasons.

UniERCsol

Description

UniERC20 is a library used as a wrapper to get balance of a token or ETH.

OneInchCallersol

Description

OneInchCaller is a contract used to perform calls to exchanges.

Imports

OneInchCaller contract has following imports:

  • IOneInchCaller

  • RevertReasonParser

  • DodoExtension

  • GasDiscountExtension

  • PatcherExtension

  • SafeERC20Extension

  • UniswapV2Extension

Inheritance

OneInchCaller contract is IOneInchCaller, DodoExtension, GasDiscountExtension, PatcherExtension, SafeERC20Extension, UniswapV2Extension.

Usages

OneInchCaller contract has no custom usages.

Structs

OneInchCaller contract has no custom data structures.

Enums

OneInchCaller contract has no custom enums.

Events

OneInchCaller contract has following events:

  • event Error(reason);

Modifiers

OneInchCaller has no custom modifiers.

Fields

OneInchCaller contract has no custom fields and constants.

Functions

OneInchCaller has following public functions:

  • receive Description Allows to receive ETH only from contracts.

  • makeCalls Description Make multiple calls. Visibility external Input parameters \-CallDescription[] calldata calls – a list of calls. Constraints None Events emit None Output None

  • makeCall Description Perform an external call. Visibility public Input parameters -CallDescription calldata desc – a call description None Events emit None Output None

OneInchExchangesol

Description OneInchExchange is the exchange contract.

Imports

OneInchExchange contract has following imports:

  • Ownable – from the OpenZeppelin.

  • SafeERC20 – from the OpenZeppelin.

  • Pausable – from the OpenZeppelin.

  • IChi.

  • IERC20Permit.

  • IOneInchCaller.

  • RevertReasonParser.

  • UniERC20.

Inheritance

OneInchExchange contract is Ownable and Pausable.

Usages

OneInchExchange contract has following usages:

  • using SafeMath for uint256.

  • using SafeERC20 for IERC20.

  • using UniERC20 for IERC20.

Structs

OneInchExchange contract has following data structures:

  • SwapDescription – contains main swap information.

Enums

OneInchExchange contract has no custom enums.

Events

OneInchExchange contract has following events:

  • event Error(reason);

  • event Swapped(address indexed sender, IERC20 indexed srcToken, IERC20 indexed dstToken, address dstReceiver, uint256 amount, uint256 spentAmount, uint256 returnAmount, uint256 minReturnAmount, uint256 guaranteedAmount, address referrer);

Modifiers

OneInchExchange has no custom modifiers.

Fields

OneInchExchange contract has following constants:

  • uint256 private constant _PARTIAL_FILL = 0x01;

  • uint256 private constant _REQUIRES_EXTRA_ETH = 0x02;

  • uint256 private constant _SHOULD_CLAIM = 0x04;

  • uint256 private constant _BURN_FROM_MSG_SENDER = 0x08;

  • uint256 private constant _BURN_FROM_TX_ORIGIN = 0x10;

Functions

OneInchExchange has following public functions:

  • discountedSwap Description Performs swap and compensate some gas by burning CHI token. Visibility external Input parameters \-IOneInchCaller caller – OneInchCaller address. \-SwapDescription calldata desc - swap description. \-IOneInchCaller.CallDescription[] calldata calls – a list of calls. Constraints None Events emit Emits Swapped or Error events. Output \-uint256 returnAmount

  • swap Description Performs swap. Visibility external Input parameters \-IOneInchCaller callerOneInchCaller address. \-SwapDescription calldata desc - swap description. \-IOneInchCaller.CallDescription[] calldata calls – a list of calls. Constraints \-The contract should not be paused. \-Calldata should exist. \-minReturnAmount should be set. Events emit Emits Swapped event. Output \-uint256 returnAmount

  • rescueFunds Description Send accidentally locked tokens or ETH to a message sender. The function is safe because OneInchExchange is not supposed to store any funds for exchange process. Visibility external Input parameters \-IERC20 token – token address to withdraw. \-uint256 amount – amount to transfer. Constraints \-Can only be called by the contract owner. Events emit None Output None

  • pause Description Pauses the contract Visibility external Input parameters None Constraints \-Can only be called by the contract owner. Events emit None Output None

Potential Risks

No potential risks found in this section.

Findings

Code
Title
Status
Severity
F-2023-1644Unused Contracts
unfixed

Low
1-1 of 1 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://github.com/CryptoManiacsZone/1inch-contract/
Commitaa1d1c54546f38b912a24722134ab0c2ae94860d

Contracts in Scope

OneInchExchange.sol - OneInchExchange.sol
OneInchFlags.sol - OneInchFlags.sol
helpers
RevertReasonParser.sol - helpers/RevertReasonParser.sol
UniERC20.sol - helpers/UniERC20.sol
OneInchCaller.sol - OneInchCaller.sol
GasDiscountCalculator.sol - GasDiscountCalculator.sol

Disclaimer