A major decentralized finance exploit has hit TrustedVolumes, with attackers stealing nearly $5.87 million in crypto assets through a vulnerability tied to its resolver and RFQ trading infrastructure.
Key Takeaways
- TrustedVolumes lost around $5.87 million in WETH, USDT, WBTC, and USDC during the exploit.
- Security firms Blockaid, PeckShield, and Beosin linked the attacker to the March 2025 1inch Fusion V1 exploit.
- 1inch denied that its own protocol or infrastructure was compromised and said TrustedVolumes operates independently.
- The stolen funds were later converted into Ethereum and split across two separate wallet addresses.
What Happened?
TrustedVolumes, a liquidity provider connected to the DeFi ecosystem, suffered a multi million dollar exploit after attackers abused a vulnerability in its resolver and custom RFQ trading agent contracts. Blockchain security firms quickly traced the stolen assets and connected the exploit to a previously known attacker linked to the 1inch Fusion V1 incident from March 2025.
The incident adds to the growing list of major DeFi hacks in 2026, raising fresh concerns around smart contract security and persistent token approval risks across decentralized platforms.
🚨 We were recently exploited.
— TrustedVolumes (@trustedvolumes) May 7, 2026
The addresses currently holding the stolen funds are:
[https://t.co/Uffg1StIhA](https://t.co/Uffg1StIhA) — approx. $3M
[https://t.co/gUCDHwOOTC](https://t.co/gUCDHwOOTC) — approx. $3M
[https://t.co/68Lu7Bq0MJ]
[https://t.co/68Lu7Bq0MJ] —…
How the TrustedVolumes Exploit Worked?
According to blockchain security firm Blockaid, the exploit targeted a vulnerable public function within the TrustedVolumes resolver contract. The flaw allowed the attacker to assign themselves as an “Allowed Order Signer,” giving them unauthorized access to user approved funds.
What made the attack particularly dangerous was that users did not need to sign or approve any new transactions. The attacker reportedly exploited existing token approvals that had remained active in user wallets from previous interactions with the protocol.
Security researchers said the vulnerability was separate from the flaw used during the 1inch Fusion V1 exploit in 2025. However, investigators believe the same attacker may be involved based on wallet tracing and transaction behavior.
The affected contracts reportedly included TrustedVolumes’ parser and custom RFQ trading agent operating on the Ethereum network.
Nearly $5.9 Million in Assets Drained
Blockchain security firm PeckShield reported that the attacker extracted multiple crypto assets during the exploit, including:
- 1,291.16 WETH.
- 206,282 USDT.
- 16.939 WBTC.
- 1,268,771 USDC.
The total estimated loss currently stands at approximately $5.87 million.
Soon after the exploit, blockchain security firm Beosin reported that the attacker converted the stolen assets into Ethereum through decentralized exchanges. The funds were then split between two wallet addresses holding approximately 1,291.07 ETH and 1,222.12 ETH.
Security experts noted that converting stolen funds into ETH is a common strategy used by attackers before attempting to move assets through mixers or other privacy focused tools.
1inch Denies Protocol Involvement
Following online speculation connecting the exploit to 1inch, the protocol released an official statement distancing itself from the incident.
1inch stated:
The team also said there was “no impact on 1inch systems, infrastructure or user funds.”
According to the statement, TrustedVolumes operates independently as a liquidity provider and supports multiple DeFi protocols beyond 1inch.
DeFi Hacks Continue Rising in 2026
The TrustedVolumes incident marks another major exploit during what has become an increasingly dangerous period for decentralized finance platforms.
Recent weeks have already seen several large scale attacks across the DeFi sector, including reported exploits involving Drift Protocol and Kelp DAO. Data from DefiLlama shows that crypto related thefts in April 2026 reached approximately $635.2 million, marking the highest monthly total since the massive Bybit exploit in 2025.
The latest exploit once again highlights the risks tied to unlimited token approvals, outdated smart contract permissions, and vulnerable resolver infrastructure used across DeFi protocols.
CoinLaw’s Takeaway
In my experience, one of the biggest hidden risks in DeFi is not just smart contract bugs, but the long lasting wallet approvals users often forget about. This attack shows how dangerous those permissions can become when a protocol or related infrastructure contains even a small vulnerability.
I found it especially concerning that users did not need to approve a new transaction for funds to be drained. As DeFi grows larger, security practices around token approvals and contract monitoring need to improve much faster.
