The party responsible for the TrustedVolumes exploit has returned 1,122 ETH, worth roughly $2 million at current prices. On-chain monitoring identified the transfer as a partial repayment linked to the May 7, 2026 incident. The repayment marks the latest development in the original TrustedVolumes exploit, in which the stolen assets were converted into approximately 2,513 ETH. TrustedVolumes reported a total loss of approximately $6.7 million. Initial security estimates valued the drain at about $5.87 million, comprising 1,291.16 WETH, 206,282 USDT, 16.939 WBTC and roughly 1.27 million USDC taken from the project’s inventory.
⚠️ JUST IN: The TrustedVolumes exploiter has returned 1,122 ETH ($2M+
The original exploit resulted in more than $5.8M being stolen. The exploiter has now returned around $2M while retaining another $2M as a “bounty” pic.twitter.com/HJSdx4i4Or
— Com Feed (@thecomfeed) July 18, 2026
The return followed a settlement message requesting exactly 1,122 ETH.
- Return address: 0xb6f28ed0f919a12822fe78f6d610e5e09a6fe450
- Primary attacker-associated address: 0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100
The attacker retained funds of comparable value and described the remaining portion as a bounty. TrustedVolumes has not published the complete settlement terms or directly confirmed the final bounty amount. After the exploit, the project said it was open to constructive communication over a vulnerability bounty and a mutually acceptable resolution.
Bounty offers are also used in other crypto recovery efforts, including the BC.GAME hack, where the platform offered $500,000 for credible information identifying the attacker. Unlike recoveries where security researchers receive a formally approved reward, such as the $1.84 million Foom.cash rescue, the amount retained in this case has only been labelled a bounty by the attacker.
Custom RFQ Proxy Enabled the Exploit
Security researchers attributed the incident to TrustedVolumes’ custom request-for-quote swap proxy. Access-control and authorization weaknesses allowed the attacker to register an approved order signer and submit malicious orders against the project’s inventory.
The contract checked authorization using the order’s receiver field but transferred tokens from the inventory address. Researchers also identified ineffective replay protection. Together, the flaws enabled the attacker to drain multiple assets in a single transaction.
1inch Systems Were Not Affected
The vulnerable RFQ proxy and inventory contracts were controlled by TrustedVolumes. They were not part of 1inch’s core aggregation infrastructure. 1inch said its protocols, systems and user funds were unaffected. The incident targeted TrustedVolumes’ independent market-making setup rather than ordinary swaps made through 1inch. The 1,122 ETH transfer confirms a partial recovery from the May exploit. However, TrustedVolumes has not publicly disclosed how the retained amount was calculated or whether it considers the settlement complete.

















