TrustedVolumes, a prominent market maker and resolver for 1inch Fusion, was exploited for $6.7 million on Thursday. The attacker abused a publicly accessible function to register as an authorized order signer, bypassing traditional security checks. 1inch Network clarified that its core aggregation protocols and user funds remain unaffected by the third-party breach.
Liquidity provider TrustedVolumes, a key market maker and resolver utilized by 1inch Fusion, confirmed on Thursday that it was drained of approximately $6.7 million in an exploit on the Ethereum network. The incident marks the fifth major DeFi exploit since the beginning of May, following a period of record-high losses for the decentralized finance sector. The breach was first flagged by Web3 security firm Blockaid, which identified an ongoing attack targeting a custom request-for-quote (RFQ) swap proxy controlled by TrustedVolumes. According to security analysts, the vulnerability stemmed from a public function within the proxy contract that lacked proper permission modifiers. This allowed the attacker to self-register as an “authorized order signer,” granting them the ability to execute malicious trades and siphon assets. The stolen funds, which included Wrapped Ether (WETH), USDT, Wrapped Bitcoin (WBTC), and USDC, were quickly converted into 2,513 ETH and distributed across three separate Ethereum addresses. CertiK noted that the attacker leveraged existing token approvals previously granted by users to the vulnerable resolver, highlighting the persistent risks of long-standing unlimited approvals in DeFi. In response to the incident, 1inch Network issued a statement distancing its core infrastructure from the exploit. “Neither 1inch nor any of the 1inch protocols are involved,” the platform stated, emphasizing that TrustedVolumes operates as an independent liquidity provider used by multiple protocols. 1inch co-founder Sergej Kunz described the framing of the event as a protocol-level breach as “misleading” and “harmful.” Security researchers have linked the attacker to the March 2025 exploit of the 1inch Fusion V1 resolver, which saw a similar loss of $5 million. While the actor appears to be the same entity, Blockaid clarified that the technical nature of the vulnerability differs from the previous year’s incident. TrustedVolumes has expressed a willingness to engage in “constructive communication” with the exploiter, floating the possibility of a bug bounty in exchange for the return of the funds. The attack comes on the heels of a disastrous April for DeFi security, which saw over $635 million lost to various hacks and exploits. Disclaimer: This article is for informational purposes only and does not constitute advice of any kind. Readers should conduct their own research before making any decisions.
