TrustedVolumes Loses $6.7 Million in Smart Contract Exploit Targeting RFQ Swap Proxy

The decentralized liquidity provider TrustedVolumes, a key participant in the 1inch ecosystem, suffered a devastating smart contract exploit on May 8, 2026, losing approximately $6.7 million in digital assets. The attack targeted a critical vulnerability in the protocol’s custom Request for Quote swap proxy, exposing yet another weakness in DeFi’s expanding attack surface as 2026 exploit losses continue to mount.

The Exploit Mechanics

The attacker exploited a public function within TrustedVolumes’ custom RFQ swap proxy contract that was designed to manage the authorized order signer whitelist. This whitelist mechanism is a standard security feature in decentralized finance — only addresses on the list can issue valid transaction instructions on behalf of the protocol. However, the registration function lacked any permission modifiers, meaning any external address could call it.

By registering themselves as an authorized order signer, the attacker gained the ability to forge trading orders. Blockchain security firms PeckShield and Blockaid were the first to flag the exploit. The attacker stole approximately $6 million in Wrapped Ethereum, Wrapped Bitcoin, USDC, and USDT by bypassing authorization checks and forging trading orders through the compromised proxy.

After extracting the funds, the hacker quickly exchanged all stolen assets for 2.513 ETH on a decentralized exchange and distributed the proceeds across three separate wallet addresses, a common laundering technique designed to complicate tracing efforts.

Affected Systems

TrustedVolumes operates as a liquidity provider and market maker for the 1inch decentralized exchange aggregator. The exploit affected users who had funds deposited in the protocol’s RFQ swap mechanism. DeFi aggregator 1inch issued a public warning about the incident, signaling that major infrastructure providers were actively monitoring the situation.

The scope of the damage remains somewhat unclear. Initial reports referenced a $6.7 million figure, while other sources cited approximately $5.9 million in losses. TrustedVolumes confirmed the incident in a post on X, sharing the addresses currently holding the stolen funds. The discrepancy between the reported figures has not been publicly reconciled.

The Mitigation Strategy

TrustedVolumes stated it is open to constructive communication regarding a bug bounty and a mutually acceptable resolution. This approach mirrors the strategy employed after a similar exploit in March 2025, when the same hacker drained $5 million from the 1inch Fusion V1 Settlement contract. In that earlier incident, the attacker proactively initiated on-chain negotiations, and most funds were returned in exchange for a white hat bounty.

Blockchain researcher Humphrey noted that while the same individual carried out both the 2025 and 2026 attacks, the technical vectors were significantly different. The 2025 vulnerability involved low-level EVM memory manipulation in the 1inch Fusion V1 Settlement contract, while the 2026 attack exploited an access control failure in a public function.

Lessons Learned

The TrustedVolumes incident underscores a persistent and dangerous pattern in DeFi security: access control failures in smart contracts continue to be one of the most common and costly vulnerability classes. A function that should have been restricted to protocol administrators was left publicly accessible, effectively giving every Ethereum user the ability to forge authorized trading orders.

The exploit also highlights the importance of independent security audits that specifically review access control patterns. While the contract may have functioned correctly in terms of its core trading logic, the permission model was fundamentally broken. Protocols deploying custom RFQ mechanisms, settlement layers, or any proxy contract that manages authorization lists should treat access control reviews as a separate audit category.

User Action Required

Users who interacted with TrustedVolumes’ RFQ swap mechanism should monitor official communications from the protocol for updates on fund recovery. Liquidity providers across DeFi should review the access control patterns of any protocol they deposit funds into, paying particular attention to contracts with public functions that manage whitelists, authorization lists, or administrative roles. The pattern exploited here — an unguarded registration function — is well-documented and entirely preventable through proper access modifiers and multi-signature requirementt信任。

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets carry significant risk. Always conduct your own research before making investment decisions.