Inside the TrustedVolumes RFQ Proxy Exploit: How a Missing Permission Modifier Cost $6.7 Million

On the evening of May 7, 2026, blockchain security firms PeckShield and Blockaid detected a live exploit targeting TrustedVolumes, a prominent market maker and liquidity provider associated with the 1inch ecosystem. By the time the attack concluded, approximately $6.7 million in digital assets had been drained from the protocol’s resolver contract on Ethereum mainnet. The incident underscores a persistent weakness in DeFi architecture: smart contract functions that are publicly accessible but should not be. Bitcoin trades near $80,900 and Ethereum sits at approximately $2,327 as the market digests the latest in a string of high-profile exploits that have defined the first half of 2026.

The Exploit Mechanics

The attack vector was deceptively simple. TrustedVolumes operated a Custom RFQ (Request for Quote) Swap Proxy contract at address 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31. This contract managed a whitelist of “authorized order signers” — addresses permitted to issue valid trading instructions on behalf of the protocol. Whitelist-based signer management is a common pattern in DeFi market-making, where only trusted parties should execute swaps against user-locked liquidity.

However, as crypto researcher Humphrey documented in a post-incident analysis, the registration function within this proxy contract was entirely public and lacked any permission modifiers. In Solidity terms, the function did not include onlyOwner, onlyAdmin, or any access control check. Any external address could call it and register itself as an authorized order signer.

The attacker exploited this design flaw in three steps:

1. Self-registration: Called the public function to add their own address to the authorized signer whitelist.
2. Order forging: Used their newly acquired signing privileges to generate valid-looking swap orders against the resolver contract.
3. Fund extraction: Leveraged existing token approvals that users had previously granted to the TrustedVolumes resolver to move funds directly from user wallets without requiring any new user interaction.

The third step is what made this exploit particularly devastating. Users who had previously interacted with TrustedVolumes through 1inch or other integrated protocols had granted unlimited ERC-20 allowances to the resolver contract. Once the attacker became an authorized signer, those pre-existing approvals gave them a direct path to user funds.

Affected Systems

The stolen assets spanned multiple major tokens, according to on-chain data compiled by PeckShield:

• 1,291.16 WETH (Wrapped Ethereum)
• 206,282 USDT (Tether)
• 16.939 WBTC (Wrapped Bitcoin)
• 1,268,771 USDC (USD Coin)

The total value at the time of the exploit was approximately $5.87 million based on real-time prices, though TrustedVolumes later updated the estimated loss to roughly $6.7 million as asset valuations shifted. The attacker quickly consolidated all stolen assets, exchanging them for 2.513 ETH on a decentralized exchange and distributing the proceeds across three controlled addresses.

Despite initial reports linking the attack to 1inch, the DEX aggregator moved swiftly to clarify that its own infrastructure was unaffected. In an official statement posted on X, 1inch confirmed: “There is no impact on 1inch systems, infrastructure or user funds.” The company explained that TrustedVolumes operates independently as a liquidity provider used by multiple protocols across the industry and is not exclusive to 1inch.

The Mitigation Strategy

TrustedVolumes confirmed the incident publicly, sharing the blockchain addresses holding the stolen funds and expressing openness to negotiation. In a statement reminiscent of the protocol’s previous encounter with the same attacker, TrustedVolumes said it was “open to constructive communication regarding a bug bounty and a mutually acceptable resolution.”

This is not the first interaction between this attacker and TrustedVolumes. Security researchers identified the exploiter as the same individual responsible for the March 2025 1inch Fusion V1 Settlement contract exploit, which drained approximately $5 million. In that earlier incident, the hacker “proactively initiated on-chain negotiations,” offering to return stolen assets in exchange for a white hat bounty. The protocol accepted, and most funds were recovered.

However, the technical nature of the two attacks differs significantly. The 2025 vulnerability involved low-level EVM memory manipulation in the Fusion V1 Settlement contract — a sophisticated, nuanced exploit targeting the Ethereum Virtual Machine’s internal state. The 2026 attack, by contrast, exploited a far more mundane flaw: the absence of a basic access control modifier on a publicly exposed function.

Lessons Learned

The contrast between the two exploits is instructive. While the 2025 attack required deep EVM expertise, the 2026 TrustedVolumes breach was preventable with elementary smart contract security practices:

• Access control is non-negotiable. Any function that modifies critical state — such as adding addresses to a signer whitelist — must include strict permission modifiers. OpenZeppelin’s Ownable or AccessControl patterns provide battle-tested implementations.
• Unlimited approvals create systemic risk. The attacker’s ability to drain user funds depended entirely on pre-existing unlimited token approvals. Protocols should request minimum-necessary allowances, and users should revoke approvals they no longer need.
• Resolver contracts demand heightened scrutiny. RFQ resolvers and market-making proxies handle order execution on behalf of users, making them high-value targets. These contracts warrant multiple independent audits and formal verification of access control paths.
• Repeat attackers exploit institutional memory gaps. That the same attacker returned to target the same victim suggests that TrustedVolumes did not fully remediate the attack surface exposed in 2025. Post-incident reviews must be comprehensive, covering all related contracts and operational patterns, not just the specific function that was exploited.

The broader context amplifies these lessons. April 2026 saw approximately $647 million stolen across 40 crypto hacks, a 1,140% month-over-month increase from March’s $52.2 million. The two largest incidents — Drift Protocol’s $285 million loss and KelpDAO’s $290 million exploit — now rank among the top 10 hacks since 2021. The TrustedVolumes breach, while smaller in scale, shares the same root cause as many of these incidents: inadequate access control on critical contract functions.

User Action Required

If you have ever interacted with TrustedVolumes or 1inch’s resolver contracts, take the following steps immediately:

1. Check your token approvals on Revoke.cash or Etherscan’s Token Approvals dashboard for any active allowances to the compromised resolver address 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31.
2. Revoke all active approvals to this contract, regardless of whether funds were already moved.
3. Review approvals on all other DeFi protocols you use. Any contract with an unlimited approval that you are not actively using represents a potential attack vector.
4. Monitor your wallet for unexpected outgoing transactions. Use Blockaid’s real-time monitoring tools or set up alerts through Etherscan.

The TrustedVolumes exploit demonstrates that in DeFi, the line between secure and compromised often comes down to a single missing permission check. As the exploit count for 2026 continues to mount, users and protocols alike must treat access control as the foundational layer of security — not an afterthought.

This article is for informational purposes only and does not constitute financial or security advice. Always verify claims independently before taking action.