DeFi Platform TrustedVolumes Hit by $6.7M Exploit
The liquidity resolver used by multiple DeFi protocols was hit, with DEX aggregator 1inch claiming no impact on its systems.
By Vismaya VEdited by Stephen GravesMay 7, 2026May 7, 20263 min read
In brief
- A hack drained $6.7 million from TrustedVolumes, a liquidity resolver used by multiple DeFi protocols.
- 1inch denied any exposure to the incident, saying its “systems, infrastructure or user funds” were unaffected.
- Experts pointed to signer and replay flaws, warning that the damage could have been larger.
TrustedVolumes, a liquidity provider used by multiple DeFi protocols, was hit by an exploit that has so far drained around $6.7 million in funds.
Blockchain analytics firm Blockaid's exploit detection system identified the victim contract as TrustedVolumes' resolver on Ethereum, with the attacker extracting approximately 1,291 WETH, 206,282 USDT, 16.93 WBTC, and 1.26 million USDC.
The firm flagged the exploiter as the same operator behind the March 2025 1inch Fusion V1 incident, leveraging a different vulnerability, this time in a TrustedVolumes-controlled custom RFQ swap proxy.
An RFQ, or request-for-quote, swap proxy is a contract that handles price quotes and token swaps between a market maker and traders.
TrustedVolumes confirmed the breach, publishing three wallet addresses holding the stolen funds, approximately $3 million, $3 million, and $700,000, and said it was "open to constructive communication regarding a bug bounty and a mutually acceptable resolution."
🚨 We were recently exploited.
The addresses currently holding the stolen funds are:
[https://t.co/Uffg1StIhA](https://t.co/Uffg1StIhA) — approx. $3M
[https://t.co/gUCDHwOOTC](https://t.co/gUCDHwOOTC) — approx. $3M
[https://t.co/68Lu7Bq0MJ]— TrustedVolumes (@trustedvolumes) May 7, 2026
Hakan Unal, senior security operations lead at crypto security firm Cyvers, told Decrypt the root cause was a combination of “permissionless signer registration, broken replay protection, and an unvalidated transfer source field.”
The flaws let the attacker act as a trusted signer and drain victims without valid authorization, with funds routed through high-risk no-KYC exchange ChangeNow before being swapped to ETH, he added.
“The damage could have been far greater,” Unal said. “With replay protection nonfunctional, the attacker could have potentially drained additional approved accounts repeatedly.”
Decrypt has reached out to TrustedVolumes for comment.
1inch distances itself
DeFi aggregator 1inch pushed back after reports linked the platform directly to the breach, framing it as an attack on the protocol itself.
“We can confirm that neither 1inch nor any of the 1inch protocols are involved,” 1inch tweeted. “There is no impact on 1inch systems, infrastructure or user funds.”
We are aware of misleading reports relating to an exploit involving TrustedVolumes. We can confirm that neither 1inch nor any of the 1inch protocols are involved.
There is no impact on 1inch systems, infrastructure or user funds.
TrustedVolumes operate independently as a…
— 1inch (@1inch) May 7, 2026
“From a vetting and monitoring perspective, we are working alongside our security partners to understand the specifics of how this exploit occurred, and we will be incorporating any relevant findings into our ongoing security and integration processes,” a 1inch spokesperson told Decrypt.
If a provider is “unavailable or compromised, others continue to serve users without disruption,” with this “built-in redundancy” a core design principle that “functioned exactly as intended in this case,” the spokesperson added.
“While it is true that 1inch uses TrustedVolumes as a resolver, we are one of many. The framing of this story is ultimately confusing and harmful,” 1inch co-founder Sergej Kunz tweeted.
Attacks on DeFi
“What’s striking about the TrustedVolumes incident is that the same attacker struck twice, months apart, against different contracts,” Nick Harris, founder and CEO of crypto asset recovery platform CryptoCare, told Decrypt, describing the perpetrator as a “patient, targeted operator” rather than an opportunistic hacker. He warned that surviving an exploit doesn’t necessarily close the risk but may instead “open a new one.”
The TrustedVolumes exploit follows a brutal stretch for DeFi, with North Korean hackers draining $285 million from Drift Protocol and Kelp DAO losing $293 million in an attack it blamed on compromised LayerZero infrastructure.
The Kelp hack has since spilled into a U.S. federal court, where Aave is fighting to unblock $71 million in frozen user funds on Arbitrum.
