The TrustedVolumes platform, a vital conduit for transactions across several decentralized finance protocols, was divested of approximately $6.7 million following a sophisticated exploitation of one of its primary smart contracts. Amidst the burgeoning reports of the breach, the 1inch network issued a prompt clarification, asserting that its core infrastructure remains untainted and that user assets are securely sequestered.
The incursion was first identified by the security firm Blockaid. Forensic analysts revealed that the adversary exfiltrated over 1,290 WETH, 206,000 USDT, nearly 17 WBTC, and approximately 1.26 million USDC from the TrustedVolumes contract. Blockaid attributed the maneuver to the same operative responsible for the 1inch Fusion V1 incident in March 2025. While that prior event utilized a distinct vulnerability, the current exploit targeted a specific TrustedVolumes proxy contract designed for token swaps via a Request for Quote (RFQ) mechanism.
TrustedVolumes has formally acknowledged the compromise and disclosed the cryptographic addresses currently harboring the purloined capital. Two primary addresses contain roughly $3 million each, while a third holds nearly $700,000. Representatives from the platform expressed an inclination toward negotiation, proposing a “white hat” bounty and a potential settlement with the perpetrator.
Hakan Unal, Lead Security Researcher at Cyvers, elucidated that the breach resulted from a deleterious amalgam of coding oversights. The contract permitted the unrestricted registration of “trusted” signers, failed to implement rigorous transaction replay protection, and neglected to verify the provenance of fund transfers. These systemic lapses allowed the attacker to masquerade as an authorized node, authorizing the withdrawal of assets without the legitimate owners’ consent.
According to Unal, the stolen liquidity was laundered through the ChangeNow exchange—a platform known for its absence of mandatory “Know Your Customer” (KYC) protocols—before being converted into Ethereum. The specialist noted that the potential carnage could have been far more extensive, as the defective security mechanism permitted iterative attacks on the same accounts.
In response to narratives linking the incident to 1inch, the service emphasized that the breach impacted neither its primary platform nor its users’ holdings. The firm clarified that TrustedVolumes operates as an autonomous entity and is merely one of myriad liquidity providers integrated into their broader ecosystem. Sergej Kunz, co-founder of 1inch, characterized reports of a “1inch hack” as profoundly misleading and detrimental to the platform’s prestige. 1inch further stated that they are collaborating with security partners to scrutinize the minutiae of the attack to refine future integration audits.
This event represents yet another blow to the decentralized finance sector, which has recently endured a series of monumental losses. Previously, North Korean state-sponsored actors exfiltrated $285 million from Drift Protocol, while Kelp DAO suffered a $293 million deficit following an infrastructural compromise of LayerZero. The repercussions of the Kelp DAO incident have since ascended to the U.S. Federal Court, where the Aave platform is currently seeking the restitution of $71 million in frozen user assets within the Arbitrum network.