DeFi Platform TrustedVolumes Hit by $6.7M Exploit
TrustedVolumes, a liquidity provider for multiple DeFi protocols, suffered an exploit that drained about $6.7 million in WETH, USDT, WBTC, and USDC from its Ethereum-based resolver contract. Blockchain analytics firm Blockaid linked the attacker to a previous 1inch Fusion V1 incident, though a separate vulnerability was used—this time in TrustedVolumes’ custom RFQ swap proxy, which handles price quotes and token swaps. Security analysis identified permissionless signer registration, broken replay protection, and unvalidated transfer sources as root causes, letting the attacker register as a trusted signer and repeatedly drain funds without proper authorization. Stolen funds were routed through no-KYC exchange ChangeNow and swapped to ETH. TrustedVolumes published wallet addresses holding the stolen assets and expressed openness to negotiating a resolution. 1inch stated it uses TrustedVolumes as one of many resolvers and confirmed no impact on its own protocols, emphasizing system redundancy. Experts described the attacker as a methodical and targeted operator. The incident adds to a series of major DeFi hacks, including the recent $285 million Drift Protocol and $293 million Kelp DAO exploits.
