1inch liquidity provider and RFQ order settlement company TrustedVolumes was hacked on May 7, with an estimated loss of about $6.7 million. The Defiant summarizes the incident: the attackers registered as an “authorised order signer” through TrustedVolumes’ own RFQ trading proxy contract’s public function, then used that permission to clear existing token approvals from the target wallet. 1inch has publicly separated—its core smart contracts, backend systems, and user-held funds were not touched; the vulnerability lies in TrustedVolumes’ own custom proxy contract.
Attack path: abusing existing token approvals by misusing the authorised signer identity
Technical details of this attack:
Vulnerability point: a public function in TrustedVolumes’ own RFQ trading proxy contract
Attack path: the attacker calls this function to register as an “authorised order signer”
Actual withdrawal: after obtaining authorisation, using the users’ previously existing token approvals for the proxy contract to transfer funds from multiple wallets
User side: no need to sign any new transaction—funds were drained purely based on existing authorisations
What’s especially worth关注 about this attack path is that, for users, there is “no new suspicious transaction signing prompt”; the attack happens entirely at the contract level. This serves as a reminder for DeFi users to periodically revoke token approvals they no longer use, even for trusted protocols.
$6.7 million loss comprised: four major token types cleared in one go
Breakdown of stolen assets:
1,291.16 WETH
206,282 USDT
16.939 WBTC
1,268,771 USDC
Initial Blockaid alerts showed a loss of about $5.87 million; TrustedVolumes later confirmed the amount updated to $6.7 million—the gap comes from token price value differences and further tracking of the stolen funds.
1inch cut-off statement: core contracts unaffected
1inch’s official response to this incident:
1inch own smart contracts: not affected
1inch backend systems: not affected
1inch user-held funds: not affected
The vulnerability in this case is in TrustedVolumes’ own proxy contract, not 1inch’s core infrastructure
The practical significance of this cut-off for DeFi users: users who perform routine trades via the 1inch mainnet interface are not affected by this incident; but users who have previously granted token approvals to the TrustedVolumes proxy contract—even if they didn’t directly use 1inch—may also fall within the affected scope. Security firm Blockaid speculated that the attacker in this incident may be operating the same group as the 1inch Fusion v1 attack event in March 2025.
Concrete follow-up events that can be tracked: TrustedVolumes releases a bounty (cointelegraph has reported that the bounty is already posted), the attacker wallet’s fund flow, and whether 1inch introduces new audit requirements for security standards in the RFQ settlement-provider ecosystem.
This article 1inch liquidity provider TrustedVolumes was hacked: $6.7 million stolen, old attacker returns to the scene was first published on 链新闻 ABMedia.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
