TrustedVolumes, a liquidity provider and market maker connected to 1inch, was hit by an ongoing exploit that drained about $5.87 million from its Ethereum resolver contract, according to blockchain security firm Blockaid.
Summary
- Blockaid said TrustedVolumes lost nearly $6 million from its Ethereum resolver contract during the exploit.
- The attacker was linked to the earlier 1inch Fusion V1 exploit from March 2025.
- The case adds pressure on DeFi market makers to review approvals and custom proxy risks.
The stolen assets included 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC. The attack affected a TrustedVolumes-controlled custom RFQ swap proxy, not a standard user swap route.
Blockaid said the attacker was the same operator linked to the March 2025 1inch Fusion V1 exploit. However, the firm said the latest case used a different vulnerability tied to TrustedVolumes’ custom RFQ swap proxy.
The March 2025 incident also affected third-party resolvers using 1inch Fusion V1. BlockSec later said that exploit caused more than $5 million in losses after attackers abused unsafe calldata handling and resolver trust assumptions.
CertiK Alert, cited by Binance News, said the attacker used a public function to register as an AllowedOrderSigner. The attacker then executed orders that moved pre-authorized funds from the victim address. CertiK advised users to revoke approvals linked to the affected contract.
DeFi security pressure keeps rising
The TrustedVolumes attack came after a difficult April for DeFi security. Crypto.news reported that protocols lost more than $606 million in the first 18 days of April alone, based on DefiLlama data.
That total was led by two large cases. Drift Protocol lost about $285 million, while Kelp DAO lost about $292 million. Crypto.news said those two exploits accounted for most tracked April losses at that time.
In a separate update, crypto.news reported that Wasabi Protocol lost more than $5 million across Ethereum, Base, Berachain, and Blast. Security firms said a compromised admin key allowed attackers to upgrade contracts and drain funds.
Custom permissions remain a weak point
The TrustedVolumes case puts attention back on resolver contracts, approval systems, and custom market-making tools. These systems often need special permissions to move funds and complete trades quickly.
That structure can create risk when permissions remain active after contracts become vulnerable. It can also make losses larger when attackers find a way to act as trusted signers or route funds through approved contracts.
The incident does not show that all 1inch users were directly affected. The available reports point to TrustedVolumes’ own resolver and RFQ proxy setup as the affected area.
