The cryptocurrency space has long treated each hack as an isolated incident — a one-off failure in a specific protocol’s code or operations. But the TrustedVolumes exploit on May 7, 2026, which drained $6.7 million from a 1inch liquidity provider, exposes a far more troubling pattern. The attacker behind this operation is the same individual responsible for the March 2025 1inch Fusion V1 hack that siphoned roughly $5 million from market makers. Two attacks, 14 months apart, targeting overlapping infrastructure with different techniques. This is not coincidence. This is a persistent threat actor studying DeFi systems with patient, methodical precision.
The Exploit Mechanics
The May 2026 TrustedVolumes attack did not rely on a zero-day vulnerability or a novel attack vector. Instead, it exploited a fundamental design weakness in how the resolver contract managed permissions. The attacker identified a public function within the TrustedVolumes resolver contract that could be called by anyone. Through this function, they registered themselves as an “Allowed Order Signer” — essentially granting themselves a trusted role within the contract’s permission hierarchy. Once elevated to this position, the attacker leveraged existing token approvals that users had previously granted to the contract, moving funds out of wallets without requiring any new user interaction or approval.
The entire drain executed through approximately 85 rapid transactions before security teams could respond. Blockchain analytics firm PeckShield traced the stolen assets across three Ethereum wallets: approximately $3 million in the first wallet, $3 million in the second, and $700,000 in the third. The breakdown included 1,291 WETH (Wrapped Ether), 16.9 WBTC (Wrapped Bitcoin), 206,282 USDT, and 1,268,771 USDC. The attacker immediately began converting WBTC and stablecoins into ETH to facilitate faster movement of the stolen funds.
Affected Systems
The impact radius of this exploit extends well beyond TrustedVolumes itself. As a resolver for 1inch Fusion, TrustedVolumes acts as a liquidity provider that fills trade orders flowing through the 1inch decentralized exchange aggregator. When the contract was drained, the disruption rippled through every platform relying on that liquidity. 1inch co-founder Sergej Kunz publicly clarified that TrustedVolumes operates independently and serves multiple platforms beyond 1inch — the exploit hit a custom TrustedVolumes contract, not 1inch’s core infrastructure.
This distinction is critical but cold comfort for users whose funds were drained. The attack surface in modern DeFi is not limited to the protocol you interact with directly. Every third-party resolver, market maker, bridge, and oracle connected to that protocol represents a potential vector. With Bitcoin trading near $79,000 and Ethereum around $2,247 in mid-May 2026, the value locked in these interconnected systems makes them increasingly attractive targets for sophisticated operators.
The Mitigation Strategy
TrustedVolumes has indicated openness to a bug bounty negotiation with the attacker, mirroring the approach that succeeded in recovering funds after the 2025 incident. Whether this strategy works a second time remains uncertain. But the broader mitigation challenge is structural: DeFi protocols cannot simply patch a single vulnerability and declare themselves safe against an attacker who demonstrates the capability and patience to find new weaknesses in the same ecosystem over extended periods.
The most effective immediate mitigation for users involves revoking old token approvals. Tools like Revoke.cash allow wallet holders to see all active permissions and remove those no longer needed. The TrustedVolumes attacker specifically exploited old approvals — permissions users had granted long before the attack and had likely forgotten about. Setting specific approval amounts rather than unlimited approvals going forward significantly reduces this exposure.
Lessons Learned
The return attacker pattern reveals several critical lessons for the DeFi ecosystem. First, security is not a destination but a continuous process. The 1inch Fusion V1 vulnerability was patched after the March 2025 attack, but the attacker simply found a different entry point in the same broader infrastructure. Second, the interconnection of DeFi components means that a vulnerability in any single resolver, bridge, or market maker can cascade across multiple platforms. Third, persistent threat actors are investing time in understanding specific ecosystems deeply, which means protocols with large TVL and complex third-party integrations face elevated, sustained risk.
The $750 million lost to DeFi exploits in the first four months of 2026 alone underscores the severity of this environment. The TrustedVolumes incident, while smaller than the $285 million Drift Protocol or $292 million Kelp DAO exploits, is arguably more concerning because it demonstrates that attackers return to productive hunting grounds. They remember which protocols hold value, which infrastructure connects to what, and where the soft spots are.
User Action Required
If you have ever interacted with 1inch Fusion, TrustedVolumes, or any resolver-based trading protocol, take the following steps immediately. Visit Revoke.cash and review all active token approvals on your wallets. Revoke any approvals tied to TrustedVolumes resolver contracts or older 1inch Fusion routes. Going forward, never grant unlimited token approvals unless absolutely necessary — set specific amounts that limit potential exposure. Consider using dedicated trading wallets with limited balances rather than your primary holding wallets for DeFi interactions. The few minutes these steps require can protect you from becoming the next statistic in a threat actor’s ongoing campaign.
This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.