DeFi Platform TrustedVolumes Hit by $6.7M Exploit

TrustedVolumes, a liquidity supplier utilized by aggregate DeFi protocols, was deed by an exploit that has truthful acold drained astir $6.7 cardinal successful funds.

Blockchain analytics steadfast Blockaid's exploit detection strategy identified the unfortunate declaration arsenic TrustedVolumes' resolver connected Ethereum, with the attacker extracting astir 1,291 WETH, 206,282 USDT, 16.93 WBTC, and 1.26 cardinal USDC.

The steadfast flagged the exploiter arsenic the aforesaid relation down the March 2025 1inch Fusion V1 incident, leveraging a antithetic vulnerability, this clip successful a TrustedVolumes-controlled customized RFQ swap proxy.

An RFQ, oregon request-for-quote, swap proxy is simply a declaration that handles terms quotes and token swaps betwixt a marketplace shaper and traders.

TrustedVolumes confirmed the breach, publishing 3 wallet addresses holding the stolen funds, astir $3 million, $3 million, and $700,000, and said it was "open to constructive connection regarding a bug bounty and a mutually acceptable resolution."

Hakan Unal, elder information operations pb astatine crypto information steadfast Cyvers, told Decrypt the basal origin was a operation of “permissionless signer registration, breached replay protection, and an unvalidated transportation root field.”

The flaws fto the attacker enactment arsenic a trusted signer and drain victims without valid authorization, with funds routed done high-risk no-KYC speech ChangeNow earlier being swapped to ETH, helium added.

“The harm could person been acold greater,” Unal said. “With replay extortion nonfunctional, the attacker could person perchance drained further approved accounts repeatedly.”

Decrypt has reached retired to TrustedVolumes for comment.

1inch distances itself

DeFi aggregator 1inch pushed backmost aft reports linked the level straight to the breach, framing it arsenic an onslaught connected the protocol itself.

“We tin corroborate that neither 1inch nor immoderate of the 1inch protocols are involved,” 1inch tweeted. “There is nary interaction connected 1inch systems, infrastructure oregon idiosyncratic funds.”

“From a vetting and monitoring perspective, we are moving alongside our information partners to recognize the specifics of however this exploit occurred, and we volition beryllium incorporating immoderate applicable findings into our ongoing information and integration processes,” a 1inch spokesperson told Decrypt.

If a supplier is “unavailable oregon compromised, others proceed to service users without disruption,” with this “built-in redundancy” a halfway plan rule that “functioned precisely arsenic intended successful this case,” the spokesperson added.

“While it is existent that 1inch uses TrustedVolumes arsenic a resolver, we are 1 of many. The framing of this communicative is yet confusing and harmful,” 1inch co-founder Sergej Kunz tweeted.

Attacks connected DeFi

“What’s striking astir the TrustedVolumes incidental is that the aforesaid attacker struck twice, months apart, against antithetic contracts,” Nick Harris, laminitis and CEO of crypto plus betterment level CryptoCare, told Decrypt, describing the perpetrator arsenic a “patient, targeted operator” alternatively than an opportunistic hacker. He warned that surviving an exploit doesn’t needfully adjacent the hazard but whitethorn alternatively “open a caller one.”

The TrustedVolumes exploit follows a brutal agelong for DeFi, with North Korean hackers draining $285 cardinal from Drift Protocol and Kelp DAO losing $293 million successful an onslaught it blamed on compromised LayerZero infrastructure.

The Kelp hack has since spilled into a U.S. national court, wherever Aave is fighting to unblock $71 million successful frozen idiosyncratic funds connected Arbitrum.