TrustedVolumes exploit drains $6.7M from 1inch liquidity provider

TrustedVolumes, a liquidity provider and market maker for decentralized exchange aggregator 1inch, is suffering an ongoing attack that has drained approximately $6.7 million in funds, according to reports from blockchain security firm Blockaid and TrustedVolumes itself. Blockaid initially flagged the exploit on Wednesday as affecting TrustedVolumes' resolver contract on the Ethereum blockchain, with the company providing an updated loss figure on Thursday and indicating consideration of a bug bounty to address the situation. 1inch confirmed that its systems, infrastructure, and user funds remain unaffected.

Initial Blockaid Report

Blockaid reported that the initial drained amount was approximately $5.87 million, comprised of 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC. According to Blockaid, the attacker is the same entity responsible for the March 2025 exploit of 1inch Fusion V1, which drained around $5 million. However, Blockaid noted that the ongoing attack involves a different vulnerability related to a TrustedVolumes-controlled custom RFQ (request for quote) swap proxy.

TrustedVolumes Response

TrustedVolumes confirmed the exploit on Thursday, updating the loss amount to approximately $6.7 million. The company indicated it will consider a bug bounty as a potential solution to address the situation.

1inch Statement

1inch released a statement clarifying that there is no impact on its systems, infrastructure, or user funds. "TrustedVolumes operate independently as a liquidity provider, used by multiple protocols across the industry, and are not exclusive to 1inch," the statement said. "We continue to monitor the situation and are actively assisting where appropriate alongside relevant security parties."

Broader DeFi Security Context

Attacks on DeFi participants have surged significantly in recent weeks. According to data from DefiLlama, a total of $635.2 million was stolen in hacks and exploits in April 2025, marking the largest monthly sum since February 2025, when hackers stole nearly $1.5 billion from Bybit. Recent major exploits include a $285 million social engineering attack on Drift and a $293 million exploit on Kelp DAO. The attack on TrustedVolumes marks the fifth major exploit since the beginning of May.