A significant exploit has hit TrustedVolumes, a liquidity provider integral to several DeFi protocols, resulting in the theft of approximately $6.7 million. Blockchain analytics firm Blockaid identified the exploited contract as a resolver on Ethereum managed by TrustedVolumes. The attacker extracted around 1,291 WETH, 206,282 USDT, 16.93 WBTC, and 1.26 million USDC.
Blockaid linked the exploit to an operator previously implicated in the March 2025 1inch Fusion V1 incident, exploiting a vulnerability this time within a custom RFQ swap proxy controlled by TrustedVolumes. An RFQ (request-for-quote) swap proxy is designed to handle price quotes and token swaps between market makers and traders.
TrustedVolumes acknowledged the breach, releasing three wallet addresses containing stolen funds: two holding approximately $3 million each and one with about $700,000. The company expressed willingness for constructive dialogue concerning a bug bounty and an agreeable resolution.
Hakan Unal, senior security operations lead at Cyvers, explained to Decrypt that the exploit resulted from “permissionless signer registration, broken replay protection, and an unvalidated transfer source field.” These flaws enabled the attacker to impersonate a trusted signer, facilitating unauthorized fund drainage. Before converting to ETH, funds were transferred through the high-risk no-KYC exchange ChangeNow.
“The damage could have been far greater,” Unal stated, noting that nonfunctional replay protection might have allowed repeated draining from approved accounts.
1inch, a DeFi aggregator platform, refuted claims implicating its protocols in the breach. “Neither 1inch nor any of the 1inch protocols are involved,” it tweeted, emphasizing no impact on their systems or user funds.
A spokesperson for 1inch told Decrypt they were collaborating with security partners to understand and integrate findings from this incident into their ongoing processes. They highlighted a core design principle of built-in redundancy that allows other providers to continue serving users if one is compromised without disruption.
“While it’s true that 1inch uses TrustedVolumes as a resolver, we are just one among many,” added 1inch co-founder Sergej Kunz in a tweet. “The narrative around this story can be misleading and harmful.”
Nick Harris, CEO of CryptoCare, told Decrypt the exploit underscored a pattern: the same attacker targeted different contracts months apart. He described the perpetrator as a patient, targeted operator rather than an opportunistic hacker and warned that surviving one exploit does not eliminate future risks.
This incident comes amid a series of severe DeFi attacks, including North Korean hackers draining $285 million from Drift Protocol and Kelp DAO losing $293 million due to compromised LayerZero infrastructure. The latter has led to legal action in U.S. federal court as Aave contests the freezing of $71 million in user funds on Arbitrum.