TrustedVolumes, a liquidity provider serving as a resolver for multiple DeFi protocols, was exploited for approximately $6.7 million in tokens on Ethereum, including WETH, USDT, WBTC, and USDC. Blockchain analytics firm Blockaid identified the attacker as the same operator behind the March 2025 1inch Fusion V1 incident, but this time targeting a different vulnerability in TrustedVolumes' custom RFQ swap proxy. The exploit was detected by Blockaid's system, and TrustedVolumes confirmed the breach, publishing three wallet addresses holding the stolen funds and offering a bug bounty for a resolution. The root cause, according to Cyvers' Hakan Unal, involved permissionless signer registration, broken replay protection, and an unvalidated transfer source field, allowing the attacker to act as a trusted signer and drain victims without authorization. Unal noted that the damage could have been far greater if the replay protection flaw had been exploited further. Funds were routed through no-KYC exchange ChangeNow before being swapped to ETH. DeFi aggregator 1inch distanced itself from the incident, stating that its systems, infrastructure, and user funds were unaffected, and that TrustedVolumes operates independently as one of many resolvers. 1inch co-founder Sergej Kunz criticized the framing of the story as confusing and harmful. Experts warned that surviving an exploit does not close the risk but may open new ones, highlighting the growing sophistication of DeFi attacks.

Key facts

• TrustedVolumes lost ~$6.7M in WETH, USDT, WBTC, and USDC on Ethereum.
• The attacker was identified as the same operator behind the March 2025 1inch Fusion V1 incident.
• Root cause included permissionless signer registration and broken replay protection.
• 1inch denied any exposure, stating its systems and user funds were unaffected.
• TrustedVolumes offered a bug bounty and listed three wallet addresses holding stolen funds.

KeyAudit data perspective