Early reports framed the incident as a 1inch exploit, but the protocol clarified that it was not compromised and no user funds were affected.
TrustedVolumes, a liquidity provider on the Ethereum blockchain, lost about $5.9 million in funds to a hacker on Thursday.
The attacker was able to exploit a vulnerability within the custom trading system used by the platform and managed to withdraw the funds, which included ETH, WBTC, as well as USDT and USDC stablecoins.
What Happened
According to blockchain security firm Blockaid, which caught the exploit as it was happening, the stolen funds included 1,291 WETH, around 16.9 WBTC, roughly 206,000 USDT, and just under 1.27 million USDC.
The attack worked by abusing a design flaw in TrustedVolumes’ custom order-settlement system, known as a Request for Quote (RFQ) proxy.
GoPlus Security posted a breakdown showing that the attacker registered themselves as an authorized “order signer” using a function called “registerAllowedOrderSigner()” that was publicly accessible.
The function allows anyone to designate their own address as a valid signer for trades they controlled, and while normally that would be harmless enough, the settlement function had a separate problem: it checked authorization against one address while actually pulling funds from a different one.
As detailed in a technical report posted by security researcher Defi Nerd, the attacker used that gap to execute four drain transactions against the TrustedVolumes resolver contract, which had previously given the proxy permission to move its tokens.
You may also like:
According to them, each time, the proxy pulled assets from the resolver and sent only a single raw USDC unit back. Then the attacker converted the stolen WETH back into ETH and forwarded everything to their own wallet.
TrustedVolumes confirmed the exploit and publicly posted three wallet addresses holding the stolen funds, asking the hacker to get in touch about a “bug bounty and a mutually acceptable resolution.”
1inch Distances Itself as DeFi Hacks Continue
Because TrustedVolumes functions as a liquidity provider and market maker on 1inch, some early reports framed the incident as a 1inch exploit.
However, that is not accurate, and both 1inch and Blockaid put out statements clarifying that the protocol itself was not compromised and no user funds on 1inch were affected. TrustedVolumes operates independently across multiple platforms, not exclusively on 1inch.
The attack occurred during an especially difficult period for the DeFi ecosystem since it followed a catastrophic month of April, where more than $650 million worth of crypto was stolen from different projects.
KelpDAO and Drift Protocol were the most affected, having $292 million and $285.2 million taken away from them.
So at $5.9 million, this latest exploit is smaller in scale. But the technical sophistication of the approach, deploying a helper contract, abusing self-service signer registration, and exploiting a maker/funding-source mismatch in a single transaction, puts it in a different category from a simple bug or misconfiguration.
