1inch-Linked Exploit Drains $6M From TrustedVolumes
TrustedVolumes, a key liquidity provider for 1inch, lost $5.87 million in an ongoing Ethereum exploit targeting its custom RFQ swap proxy contract. The attack, detected May 7, 2026, by Blockaid, links to the same operator behind a March 2025 1inch Fusion V1 breach.[1][2] Traders continue routing through TrustedVolumes despite the incident, signaling short-term liquidity resilience amid DeFi security pressures.
Overview
- Losses: 1,291 WETH, 206,282 USDT, 16.9 WBTC, 1.27 million USDC drained from resolver contract at 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756.[1][2]
- Timeline: Exploit active as of May 7; Blockaid monitoring shows ongoing drainage, with full details pending.[2]
- Connection: Attacker matches March 2025 operator who exploited legacy settlement paths in 1inch Fusion V1, causing over $5 million in losses.[1]
- Scope: Limited to TrustedVolumes’ custom proxy; no direct impact on standard 1inch user routes or core protocol.[1][2]
- Response: Security teams urge bots and traders to avoid affected contracts; 1inch clarifies users unaffected.[2]
Subscribe to our Social Media for Exclusive Crypto News and Insights 24/7!
Exploit Mechanics and Prior Incident
Blockaid identified suspicious activity in TrustedVolumes’ Ethereum resolver, a component that supplies liquidity to 1inch and other aggregators. The attacker exploited a vulnerability in the firm’s custom RFQ swap proxy, distinct from the standard user paths on 1inch.[1] Stolen funds flowed to tracked attacker addresses, with the firm withholding full technical disclosure until the attack vector is mapped.
This marks the second strike by the same operator. In March 2025, attackers abused unsafe calldata handling and resolver trust assumptions in 1inch Fusion V1, hitting multiple third-party market makers.[1] 1inch and partners patched that flaw, migrating to updated contracts. Blockaid notes the current exploit leverages a signature verification issue in TrustedVolumes’ setup, enabling unauthorized order forgery.[5]
1inch emphasized the incident does not compromise its protocol. “Early headlines should not confuse users,” the team stated, pointing to TrustedVolumes’ independent resolver as the sole target.[2]
Liquidity Flows Persist Amid Breach
Market data shows no immediate flight from TrustedVolumes. On-chain activity around its contracts remains steady post-exploit, with traders and bots continuing to route swaps.[2] Interpretation based on available data: This reflects DeFi’s tolerance for isolated resolver risks, as core liquidity pools stay intact.
| Asset Drained | Amount | USD Value (approx.) |
|---|---|---|
| WETH | 1,291 | $4.2M [1] |
| USDT | 206,282 | $0.21M [1] |
| WBTC | 16.9 | $1.4M [1] |
| USDC | 1.27M | $1.27M [1] |
| Total | - | $5.87M |
The table above breaks down confirmed outflows. No recovery efforts are reported yet.
Broader DeFi Security Context
DeFi hacks persist into 2026. DefiLlama tracks $11.81 billion total value hacked, with $6.72 billion in DeFi proper.[7] Recent cases include Ekubo’s $1.4 million loss on May 6 and SwapNet’s $13 million exploit in January.[6] TrustedVolumes adds to scrutiny on market makers’ custom proxies and approval risks.
Analysts note recurring themes: over-trusted resolvers and proxy flaws.[1] Market participants view these as containable if limited to non-core components. Data from revoke.cash highlights user exposure via approvals, urging revocations.[6]
| Recent DeFi Exploits | Date | Chain | Amount Lost |
|---|---|---|---|
| TrustedVolumes | May 7, 2026 | Ethereum | $5.87M [1] |
| Ekubo | May 6, 2026 | - | $1.4M [6] |
| SwapNet | Jan 26, 2026 | - | $13M+ [6] |
| Saga | Jan 21, 2026 | SagaEVM | $6M+ [3] |
This comparison underscores exploit frequency, with Ethereum as a hotspot.
Market Structure Implications
The breach tests DeFi market structure. Liquidity providers like TrustedVolumes underpin aggregators such as 1inch, handling RFQ swaps for optimal pricing. Persistent flows post-exploit suggest investor behavior prioritizes yield over isolated risks, bolstering adoption trends for audited proxies.[2]
Competitive dynamics sharpen. Rivals may gain if users revoke TrustedVolumes approvals en masse. Yet, no mass exodus appears; bots adapt by rerouting, per Blockaid warnings.[2] Data suggests short-term confidence holds, as 1inch volume remains stable.
Adoption faces headwinds. Repeated market maker hits pressure protocols to harden resolvers, potentially slowing custom RFQ innovation. Institutional inflows to DeFi, tracked at messari.io, could pause if unrecovered losses mount.
Risks and Uncertainties
The exploit remains active, risking further drainage.[2] Uncertainties include full attacker traceability-while Blockaid links addresses on-chain, recovery odds drop if funds mixers hit, as in prior cases.[3] Conflicting reports peg losses at $6-6.7 million; Blockaid’s $5.87 million is most precise.[1][5]
A downside scenario: Escalation to user funds if proxies cascade. Counterpoint: 1inch’s clarification limits fallout, and patches from March 2025 prove effective.[1] Traders should monitor etherscan.io for contract activity at 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756.
Forward, DeFi eyes stricter resolver audits. Persistent liquidity use signals maturity, but security lapses cap scaling. Market structure hinges on faster detection tools like Blockaid’s.
Sources
[1] https://www.mexc.com/news/1075682[2] https://www.banklesstimes.com/articles/2026/05/07/1inch-market-maker-hit-by-active-exploit-6m-drained-so-far/
[3] https://rekt.news/saga-rekt
[4] https://tradersunion.com/news/cryptocurrency-news/show/2009625-6-million-stolen/
[5] https://www.ainvest.com/news/trustedvolumes-exploit-6-7m-flow-breakdown-defi-security-aftermath-2605/
[6] https://revoke.cash/exploits
[7] https://defillama.com/hacks
