How 1inch security investigation flow works

In this post, members of the 1inch compliance team - Ignacio, Caleb and Vladimir - explain how they work to ensure that users never have to worry about the security of their tokens.

1inch has always emphasized the importance of security in its operations. But what happens behind the scenes? What exactly is 1inch doing to make sure user funds remain safe and secure at all times? Let the 1inch compliance team walk you through it in their own words.

“At 1inch, our investigation process is designed to be fast, collaborative and privacy-preserving,” says Ignacio. “Flags can originate from internal wallet screening systems or external sources like law enforcement agencies, blockchain analytics providers, or even other exchanges. When a wallet linked to stolen funds is detected - for example, after a high-profile protocol exploit - we coordinate with ecosystem partners to help block the malicious address as quickly as possible and prevent any interaction with our protocols.”

In fact, the blocking system operates automatically 24/7, while coordination and manual engagement occur continuously based on incoming reports from multiple sources - ensuring greater efficiency.

According to Caleb, the 1inch compliance team relies on a few different tools. “Initially, 1inch started out with Chainalysis as the main security provider,” he recalls. “That was focused on two key impacts: fighting back against DeFi hacks and detecting bad actors. 

Since then, however, the compliance team has expanded its reach, also getting help from zeroShadow, Crypto Defenders Alliance, Hypernative, Blockaid and SEAL911. 

“This allows the crowd sourcing of phishing/scam/hack sources and blockchain tracing across multiple ecosystems,” Caleb explains. “1inch can block and prevent individuals from using 1inch to break Know Your Token (KYT) or more generally, just swapping the tokens. When law enforcement agencies request information from 1inch, generally we comply by supplying logs produced by the specific wallet address.”

Ignacio stresses that although 1inch does not operate custodial wallets or collect user-identifying data through account registration, the compliance team does retain IP addresses and related meta data associated with wallet connections for a limited period of time. 

“From this data, we’re able to identify which integrator was used for the swap, along with other information, like recipients of the swap proceeds for all types of swaps if law enforcement agencies don’t have it,” adds Caleb, emphasizing that, in order to obtain this information, law enforcement agencies need to use proper official channels. 

1inch doesn’t hold user funds, but we still apply strict internal controls when malicious actors attempt to interact with our platform. 

“In these cases, we may isolate any protocol-generated revenue - for instance, from a limit order executed by a blacklisted address - and segregate those funds for further review or potential restitution,” says Ignacio. “This process is documented and revisited as part of our ongoing enforcement efforts.”

“Although 1inch doesn’t provide blockchain analysis services, we have some advanced investigation team members and we cross check with other blockchain security teams like zeroshadow,” adds Caleb. “The team follows both public and private alerting for different hacks and high profile compromises while also keeping track of, what would be considered low priority community reports and victims through SEAL911 reports.” 

According to Caleb, all reports of security breaches are important for the 1inch compliance team, regardless of the amounts reported. 

“We report undetected incidents to blockchain security teams, like zeroShadow, Seal, Crypto ISAC and TRM Labs, to improve heuristics,” he says. “The backend automatically ingests major DeFi security blocklists while the compliance team also reviews the community reports (Crypto Defenders Alliance, Crypto ISAC + SEAL911). We also watch for anything that comes through the support team and report these incidents as needed.” 

According to Vladimir Zhdanovich, the 1inch compliance team also conducts its own investigations into major crypto incidents and assists 1inch users if malicious actors gain access to their wallets.

“We can inform users about the reason behind the hacks, trace funds to known exchange wallets, and notify other protocols’ compliance departments about the stolen assets,” he says, adding that this way, exchanges can freeze the funds until they receive orders from law enforcement.

“While this isn’t a direct responsibility of our department, we handle each case individually because we value our users and aim to help them, even if the incident isn’t directly related to 1inch,” he adds. “We also analyze activity across all 1inch products and conduct additional investigations into any highlighted activity. We keep logs of such activities in case law enforcement reaches out in the future.” 

If a user believes that their wallet has been improperly flagged for being risky, they can submit a request for their wallet to be reviewed.

“We do admit, there are false positive heuristics sometimes,” explains Caleb. “The ecosystem impact is both positive and negative. The positive side is cornering bad actors and preventing them from using funds that have been stolen. The negative side is that 1inch is censoring potentially innocent users because of their jurisdiction, on-chain activity outside of their control (for example if a scammer sends user tokens), or other false and incorrect reports.”

Meanwhile, 1inch doesn’t restrict its activities to reacting to known incidents and submitted reports. 

“Our goal isn’t just to react to incidents but to be proactive,” concludes Vladimir. “We're constantly enhancing our collaboration with top investigators in the market to get real-time info on incidents and with security providers to proactively block suspicious activities before they interact with our platform.”

Stay tuned for more on risk management from 1inch!