Hacken conducted web app and APIs penetration testing for 1inch. As a platform trusted by millions across 13+ networks, this engagement reinforces the secure infrastructure behind one unified DeFi ecosystem.
In January 2026, 1inch approached Hacken, a blockchain-native security and compliance firm, for penetration tests across its 1inch Business portal and API infrastructure. Building on eight years of offensive security experience in Web3, Hacken's team emulated real-world attackers, manually probed critical paths, and thoroughly assessed both the business portal and the developer-facing API suite. All findings were disclosed, reviewed, and addressed in close collaboration with the 1inch team.
"Adding to our long record of security audits, the latest Hacken audits of the 1inch Business portal and API products further reinforce 1inch as one of the most rigorously audited protocols in DeFi.
Our unwavering commitment to security and transparency is a primary reason why we earn and sustain the trust of our users. It is our aim to set the standard for the industry, helping ensure that the growth of DeFi and its ongoing convergence with TradFi remain uninhibited."
- Ilya Naryzhnyy, 1inch CIO
What is Penetration Testing
Penetration testing is a structured security assessment in which an authorized team of security professionals simulates real-world cyberattacks on a system, application, or network. Hacken’s approach focuses on manual exploitation and threat-informed testing to validate real attack paths and business impact. In the DeFi space, where smart contracts, APIs, and web interfaces all intersect with real financial assets, penetration testing is a critical layer of defense. Especially considering that 53% of all Web3 losses in 2025 stemmed from access control exploits, not smart contract bugs.
About 1inch
1inch is accelerating decentralized finance by providing millions of users with a seamless crypto trading experience. As well as being the leading platform for low-cost, efficient token swaps, 1inch provides a variety of cutting-edge tools, such as a secure self-custodial wallet, a portfolio tracker for managing digital assets, a business portal offering access to its technology and even a debit card for straightforward crypto spending. Through continuous innovation, 1inch is making DeFi simpler for everyone.
Learn more:
Hacken’s Penetration Testing For 1inch
The requested scope covered front-end and session security including Web3 provider injection, third-party dependency risks, and clickjacking exposure; and APIs and back-end flows including injection testing, privilege escalation paths, and insecure integration patterns.
Both assessments were scoped specifically to 1inch Business, the enterprise-grade Web3 infrastructure platform built by the 1inch ecosystem for developers, startups, and financial institutions. It supports multiple blockchain networks and offers a comprehensive suite of DeFi APIs. With institutional builders and financial integrators depending on the platform daily, the security of its business portal and API surface is business-critical.
Hacken’s team conducted adversary emulation and threat-informed testing, manually simulating real-world attack scenarios to validate resilience and assess business impact under realistic conditions.
Key processes included:
- Threat intelligence–based scoping
- Manual exploitation across user roles and privilege levels
- API lifecycle and input validation analysis
- Reporting aligned with NIST SP 800-115, PTES, and the OWASP Testing Guide
1inch Business Penetration Testing
The first assessment targeted 1inch Business, the enterprise-grade Web3 infrastructure portal serving developers, startups, and financial institutions.
The assessment covered a broad attack surface including authentication and session management, front-end security controls, server-side input handling, transport layer configuration, and business logic flows. Hacken's team manually tested for critical vulnerability classes including injection attacks, privilege escalation, clickjacking, and insecure data exposure.
APIs Penetration Testing
The API assessment targeted the 1inch Business developer platform, a comprehensive suite of Web3 APIs powering token swaps, orderbook management, portfolio analytics, gas pricing, and more across multiple blockchain networks. The assessment covered a wide range of attack vectors including authentication and authorization controls, API endpoint security, input validation, rate limiting, business logic abuse, and internal API exposure. Hacken's team manually tested for critical vulnerability classes including injection attacks, broken object level authorization, mass assignment, and insecure direct object references.
Securing Financial Freedom for Everyone
Across both engagements, a combined total of 7 findings were identified, all at informational severity. Zero critical, high, medium, or low vulnerabilities were discovered across 1inch's business portal or API surfaces.
This is a strong security posture result for a platform operating at the scale and complexity of 1inch. It confirms that 1inch's core infrastructure has been built with security-conscious practices from the ground up.
