A 1inch liquidity provider called TrustedVolumes was drained of approximately $6.7 million on May 7, 2026, in one of the more technically precise DeFi exploits of the year. Blockchain security firm Blockaid detected the attack in progress. By the time it was flagged, the attacker had already executed approximately 85 transactions and split the proceeds across three wallets.
The exploit did not target 1inchβs own contracts. 1inch confirmed that its protocol, smart contracts, and user funds were not affected. The vulnerability lived entirely within TrustedVolumesβ custom infrastructure β a distinction that matters for assessing systemic risk, but one that offers little comfort given the funds are gone and the attacker appears to be a repeat offender operating with impunity across the 1inch ecosystem.
What Was Taken
The stolen funds included:
- 1,291 WETH (~$3.9M at time of attack)
- 16.9 WBTC (~$1.6M)
- 206,282 USDT
- 1.27M USDC
The proceeds were split across three attacker-controlled wallets. Two held approximately $3 million each; a third contained roughly $700,000. The 85-transaction drain happened rapidly β the speed suggests an automated script executing pre-prepared swap orders against TrustedVolumesβ liquidity contracts.
The Vulnerability: A Public Registration Door
According to blockchain security firm CertiK, the exploit hinged on a single design flaw in TrustedVolumesβ custom RFQ (Request for Quote) swap contracts: a public function that allowed anyone β without any access control β to register themselves as an authorized order signer.
In a legitimate RFQ system, only vetted market makers and designated counterparties should be able to sign swap orders that authorize fund movements. TrustedVolumesβ contract had no such restriction. Any external address could call the function, register as an allowed signer, and then submit swap orders directing funds to attacker-controlled addresses.
Once registered, the attacker issued a rapid sequence of RFQ swap orders. Each order was technically valid from the contractβs perspective β it bore a signature from a registered signer. The contract executed them faithfully, routing TrustedVolumesβ liquidity directly to the attackerβs wallets.
The Same Attacker, a Different Vulnerability
Blockchain analysts confirmed that the wallet behind the TrustedVolumes exploit is the same address responsible for the March 2025 1inch Fusion V1 hack, which drained approximately $5 million from 1inch market makers at the time.
The 2025 attack exploited a different vulnerability in a different part of the 1inch ecosystem. That the same attacker is back β targeting adjacent infrastructure in the same protocolβs orbit, using a fresh exploit vector β raises serious questions about whether the broader 1inch ecosystem has taken the threat model from the prior attack seriously enough.
1inchβs own code was not the entry point in either case. But a liquidity network is only as secure as its weakest third-party resolver. Attackers who understand a protocol ecosystem deeply enough to exploit its periphery twice represent a particular category of risk that protocol teams often underestimate.
What Third-Party Exploits Mean for DeFi Users
The TrustedVolumes attack is part of a consistent 2026 pattern: attackers increasingly bypass the hardened core of major protocols and instead target adjacent infrastructure β liquidity resolvers, price oracles, cross-chain bridges, yield aggregators β where security review tends to be less rigorous.
When you interact with a DeFi protocol, you are often implicitly trusting a stack of third-party components you never see. Your swap on 1inch may be fulfilled by a liquidity resolver youβve never heard of. Your yield strategy may depend on a bridge you never consciously chose. The exploit surface for any one transaction is wider than the interface implies.
This is not a new observation, but it remains an underappreciated one. The security audits that major protocols publish cover their own contracts. They do not cover every market maker, resolver, or liquidity provider operating within their ecosystem.
1inchβs Response
1inch moved quickly to distance itself from the incident. In a public statement, the team confirmed:
- 1inch protocol smart contracts were not compromised
- No 1inch user funds were affected
- The exploit was contained to TrustedVolumesβ own contract infrastructure
The team indicated it was monitoring the situation and working with blockchain security partners. There was no indication, as of the attack date, that TrustedVolumes had issued a recovery plan or reached out to the attacker via on-chain message β a common first step in DeFi exploit recovery attempts that sometimes results in partial fund return under βwhite hatβ arrangements.
2026 Context: Third-Party Risk Is the Attack Surface
The TrustedVolumes exploit is the latest in a year that has made third-party and supply chain risk in DeFi impossible to ignore. April 2026 saw 30 separate exploit incidents totaling $651 million in losses. The largest two β Drift Protocol ($285M) and KelpDAO ($293M) β involved sophisticated attacks on protocol infrastructure by what investigators attributed to North Korean state-sponsored operators.
Against that backdrop, a $6.7 million exploit targeting a liquidity resolver might seem minor. It is not. The TrustedVolumes attack is instructive precisely because it demonstrates that the attack surface is not limited to headline protocols. Any contract holding meaningful liquidity β especially one with inadequate access controls β is a viable target.
The crypto security community has spent years hardening the contracts of protocols like 1inch, Uniswap, and Aave. Attackers have responded by looking at whatβs around them. Until the entire ecosystem β core protocols and every third-party component in their orbits β is held to the same security standard, the losses will continue.
This article is provided for informational purposes only and does not constitute financial or legal advice.
