dRdefRes
1inch logo

1inch

TierΒ 4

1inch

DEX Aggregator
BinanceEthereum

1inch is the DeFi ecosystem building financial freedom for everyone

6.1Safety Score62% confidence

Latest TVL

$2.99M

DeFiLlama Β· updated 5/20/2026

Audits

122

reports collected

Findings

6

across all audits

Last Updated

5/25/2026

Analyzed

Analysis Overview

πŸ—οΈ

Protocol Overview

1inch is presented here as a DEX aggregator, but the available technical evidence mainly covers a farming extension rather than the full routing stack. A TVL snapshot around $3.0M with a negative 7-day change suggests some liquidity fragility. Key protocol-level concerns are owner-parameter misconfiguration and integration attack surfaces like MEV and oracle-driven effects, while major architecture details remain undocumented in this dataset.
πŸ”’

Code Security

7.4/10
Code-security evidence is narrow, based on one historical farming-scope audit that reported no critical, high, or medium findings and mostly low or informational issues. Findings focused on code maturity and integration hygiene, such as parameter checks, interfaces, documentation, and tests, with some items fixed and others acknowledged. The report also flags the audit publication provenance as unverified, so conclusions are useful but lower-confidence rather than protocol-negative by itself.
πŸ’°

Economic Security

5.4/10
Economic risk is hard to score confidently because core inputs like oracle design, router behavior, and tokenomics are largely missing from the available materials. The visible snapshot shows modest TVL near $3.0M, a negative 7-day trend, and presence on Ethereum and Binance, which can increase stress sensitivity if liquidity thins. The main evidenced issue is a low-severity farming parameter misconfiguration path that could still cause loss of control or funds in that scope.
πŸ‘₯

Team & Transparency

6.2/10
Team and social transparency signals are mixed: public website, code hosting, and social accounts are present, and there is a completed third-party audit record. However, most evidence is thin or historical, with limited current detail on leadership, legal structure, community quality, or financial disclosure. The report therefore treats credibility as baseline-to-moderate and warns that confidence is constrained by sparse, partly lower-confidence source coverage.
πŸ—³οΈ

Governance

4.7/10
Governance visibility is limited, but the available evidence confirms owner-gated control over farming distributor settings, including the ability to set a zero address to stop new farmings. That control can help emergency operations but also creates centralization and operator-error risk, including a cited path to loss of funds or control if parameters are mishandled. Broader safeguards such as multisig structure, timelocks, proposal flow, and upgrade controls are not documented in the current source set.
πŸ”—

Cross-Analysis

The combined view is moderate risk with high uncertainty: known severe code issues were not reported in the reviewed farming scope, but evidence gaps span governance process, router-level economics, and social transparency. Cross-domain failure modes center on owner-parameter mistakes during liquidity stress and delayed containment when governance and communication pathways are unclear. A major risk amplifier is sparse, partly lower-confidence evidence that can create false comfort and hide latent issues.

Executive Summary

Executive Summary: 1Inch

Safety Rating: YELLOW

Overall Score: 6.1/10 | Confidence: 0.62 | Data Completeness: 0.75 "most domains report substantial data gaps"

Scores by Dimension

DimensionScoreKey Finding
Code Security7.4/10No critical, high, or medium findings were reported in the reviewed farming scope, but coverage is partial and historical "No critical findings reported"
Economic Security5.4/10TVL is modest and recent trend is negative, while router-level and oracle evidence is incomplete "Current TVL is about $2.99M"
Team Transparency6.2/10Public links and an audit trail exist, but social/team evidence is thin and mostly historical "the social/team dataset is thin and mostly historical"
Governance4.7/10Owner-gated controls are evidenced, while timelock/multisig/process documentation is missing "owner-gated administrative control"
Track Record6.0/10Historical audit results are directionally positive, but confidence is reduced by sparse and older evidence "Of the 6 findings, 1 was of low impact and the remaining findings were informational in nature."

What This Protocol Does

1inch is described as a DeFi ecosystem and categorized here as a DEX aggregator "1inch is described in this workspace as a DeFi ecosystem" "category: DEX Aggregator". The technical evidence in this run is focused on the 1inch farming extension, where ERC20 holders can earn farming rewards while retaining control of tokens "The only technical source in this workspace is a security assessment focused on the 1inch farming extension" "It allows users to reap rewards from their holdings while still being in control of their tokens.".

Key Strengths

  • Reviewed farming scope reported no critical/high/medium findings "Critical\n0" "High\n0" "Medium\n0".
  • Some identified issues were fixed in specific commits "The issue was fixed by 1inch in commit e513e429." "The issue was fixed by 1inch in commit 29bf4aed.".
  • Cross-analysis notes risk mitigators from the available audit outcomes "Available audit evidence reports no critical/high/medium findings in reviewed farming scope".
  • Public website/GitHub/Twitter links are present in metadata "Workspace metadata includes website, GitHub, and Twitter links:".

Key Risks

  • Governance/admin concentration risk remains due to owner-gated controls and missing governance-process detail "Single point of failure risk: Owner-gated controls can become concentrated power" "No governance docs/digests in this workspace to validate proposal flow, quorum, timelock, or upgrade path".
  • Economic and integration blind spots remain for router-level behavior, oracle design, and MEV conditions "this workspace lacks current router-level evidence" "Insufficient data for this assessment from current workspace docs/digests.".
  • Liquidity fragility signal is present from recent TVL trend "7d TVL delta is negative, which can increase liquidity fragility during volatility".
  • Evidence confidence is reduced by sparse inputs and unverified audit publication provenance "Audit provenance is explicitly unverified" "uncertainty itself is a primary risk factor".

Critical Findings

  • No critical findings identified in available reviewed scope "No critical findings reported in available audit data".

Recommendation

Current evidence supports a cautious, moderate-risk posture: suitable for users who understand DeFi operational risk and can tolerate incomplete governance/economic transparency in this dataset "moderate-but-uncertain" "significant cross-domain blind spots in governance process evidence, router-level economic exposure detail, and current social/transparency telemetry". More risk-sensitive users should wait for clearer governance documentation, broader and fresher audit coverage, and stronger current-state transparency signals "dataset is materially incomplete for a full governance assessment" "coverage is partial: one indexed audit with finding-level detail is available".

Report Sections

  • Protocol Overview
  • Code Security
  • Economic Security
  • Social & Team
  • Governance
  • Cross-Risk Analysis

Vulnerability Findings

Low5Info1

Audit Reports (122)

AuditorTierStatusDiscoveredLink
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”failed5/25/2026View β†—
Unknownβ€”failed5/25/2026View β†—
Unknownβ€”failed5/25/2026View β†—
Unknownβ€”failed5/25/2026View β†—
Unknownβ€”failed5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Unknownβ€”processing5/25/2026View β†—
Zellictier_2completed5/20/2026View β†—