A significant exploit has hit TrustedVolumes, a key liquidity provider and resolver for the leading DEX aggregator 1inch. The attack occurred in the early hours of May 7, draining approximately $5.87 million in crypto assets. The attacker quickly consolidated the stolen funds into roughly 2,513 ETH.
This incident is particularly concerning because it involves the same operator responsible for the March 2025 hack on 1inch’s Fusion V1, which also affected TrustedVolumes. The TrustedVolumes team has publicly confirmed the exploit. While most funds were returned in the previous case, this time the vulnerability lies in a different component – a custom RFQ (Request for Quote) swap proxy contract controlled by TrustedVolumes.
#PeckShieldAlert @trustedvolumes has been exploited for ~$5.9M, including $3.02M $ETH,$1.37M $WBTC & 1.47M stablecoins, the exploiter has swapped the stolen funds for 2.513K $ETH pic.twitter.com/HZ1LGlZJcC
— PeckShieldAlert (@PeckShieldAlert) May 7, 2026
What Exactly Happened
According to real-time alerts from blockchain security firms Blockaid and PeckShield, the attacker exploited TrustedVolumes’ resolver contract at 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31 through a custom RFQ swap proxy contract (0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756).
Key details of the exploit:
- Exploiter Address: 0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100
- Primary Exploit Transaction: 0xc5c61b3ac39d854773b9dc34bd0cdbc8b5bbf75f18551802a0b5881fcb990513
Stolen Assets:
- 1,291.16 WETH (approx. $3.02 million)
- 16.939 WBTC (approx. $1.37 million)
- 1,268,771 USDC + 206,282 USDT (approx. $1.47 million)
The attacker leveraged a flaw in the custom proxy that allowed unauthorized draining of funds from the resolver. Within hours, all assets were swapped into ETH.
Why This Exploit Stands Out
TrustedVolumes is a key liquidity provider and resolver deeply integrated into 1inch’s RFQ and Fusion ecosystem. Resolvers are critical for efficiently filling large orders with competitive pricing. When such an important infrastructure provider is compromised, it raises serious questions about the security of intent-based trading systems and custom proxy implementations across DeFi.
This event adds to a growing list of sophisticated DeFi exploits already seen in 2026. Recently, the crypto community also witnessed the $1.78M Moonwell exploit, which highlighted how insecure smart contract practices and rushed development workflows can create dangerous attack surfaces for protocols handling user funds. Both incidents reinforce the growing concern that even experienced DeFi teams remain vulnerable when custom contract logic and privileged permissions are not continuously stress-tested.
The most alarming aspect here is the repeat attacker pattern. The same actor who exploited an outdated Fusion V1 component in March 2025 has now returned, targeting a different but related custom implementation. This indicates a sophisticated, patient operator who actively researches and monitors specific targets.
It serves as a clear reminder: A single past hack does not make any team “battle-tested.” Instead, it can place them on a dedicated attacker’s watchlist for future opportunities.
Impact and Practical Advice
End-user funds on 1inch itself appear safe, as the exploit was limited to TrustedVolumes’ own controlled resolver contracts. However, users who have interacted with TrustedVolumes or used 1inch Fusion routes are strongly advised to revoke approvals immediately via tools like Revoke.cash.
Short-term market reaction may include temporary nervousness around the $1INCH token and RFQ-related liquidity. TrustedVolumes has acknowledged the exploit and is expected to offer a bug bounty, similar to the previous incident.
Key Lessons for the Crypto Community
- Custom proxy contracts and elevated permissions remain high-risk areas even in audited systems.
- Real-time security monitoring tools can significantly limit damage.
- Regular approval revocation is essential hygiene in DeFi.
- Teams with previous incidents must maintain ongoing heightened security vigilance.
This story is still developing. On-chain movements of the stolen ETH will be closely watched in the coming hours.
In the fast-moving world of DeFi, assuming any protocol is “trusted” by name alone has repeatedly proven risky. Stay vigilant, monitor your wallet permissions, and treat every smart contract interaction with caution.
