TrustedVolumes, a liquidity provider on the Ethereum blockchain, suffered an attack on Thursday that resulted in the loss of roughly $5.9 million.
The attacker exploited a vulnerability in TrustedVolumes’ custom trading and settlement system and withdrew funds denominated in ETH and wrapped ETH (WETH), wrapped Bitcoin (WBTC), and stablecoins USDT and USDC.
What happened
Blockchain security firm Blockaid detected the exploit in real time. According to their report, the stolen assets included 1,291 WETH, about 16.9 WBTC, approximately 206,000 USDT, and just under 1.27 million USDC.
The attacker took advantage of a design flaw in TrustedVolumes’ custom order-settlement mechanism, known as a Request for Quote (RFQ) proxy. Security researchers from GoPlus Security explained that a publicly accessible function, registerAllowedOrderSigner(), allowed anyone to register their own address as an authorized “order signer.” That registration alone would not necessarily have been catastrophic, but the settlement logic had a separate and critical issue:
the contract validated authorization against one address while actually transferring assets from a different address. This mismatch between the signer-check and the funding source created an exploitable gap.
Security researcher Defi Nerd published a technical analysis showing how the attacker leveraged that gap to drain funds. The attacker registered themselves as an allowed order signer, then used the inconsistency in the authorization versus the actual token source to execute four drain transactions against the TrustedVolumes resolver contract. Because the resolver had previously granted the RFQ proxy permission to move tokens, the proxy could pull assets from the resolver account.
In each drain transaction the proxy transferred the bulk of the assets to the attacker while returning only a single raw unit of USDC back to the resolver, effectively masking the outflow. The attacker then converted the stolen WETH back to ETH and consolidated the proceeds into their own wallet.
TrustedVolumes confirmed the breach and publicly shared three wallet addresses that received the stolen funds. The team invited the attacker to communicate about a “bug bounty and a mutually acceptable resolution.”
1inch distances itself as DeFi hacks continue
Because TrustedVolumes provides liquidity and market-making services on multiple platforms, including integration with 1inch, some initial coverage mistakenly labeled the incident as a 1inch exploit. Both 1inch and Blockaid issued clarifications stating that the 1inch protocol itself was not compromised and no user funds on 1inch were impacted. TrustedVolumes operates independently and its infrastructure spans multiple venues rather than being exclusive to any single protocol.
This exploit comes at a tense time for the decentralized finance (DeFi) sector. It follows a particularly damaging April in which attackers stole more than $650 million from various projects, with KelpDAO and Drift Protocol suffering substantial losses of roughly $292 million and $285.2 million, respectively.
At about $5.9 million, the TrustedVolumes attack is smaller in monetary terms than those events, but its technical complexity deserves attention. The attacker combined multiple techniques—deploying a helper contract, abusing an open signer registration function, and exploiting a mismatch between the maker (signer) check and the actual funding source in a single sequence of interactions. That layered approach is more sophisticated than a simple misconfiguration and highlights how subtle contract design and access-control inconsistencies can lead to severe losses.
The incident underscores several lessons for DeFi projects: rigorous access-control design, careful separation between authorization checks and asset custody, comprehensive auditing of public registration functions, and tooling to detect unusual settlement patterns in real time. Until these types of vulnerabilities are systematically addressed across protocols, DeFi platforms and their liquidity providers will remain attractive targets for increasingly inventive attackers.