TrustedVolumes confirmed a $6.7 million exploit on Thursday, with stolen funds now sitting across three Ethereum addresses. The independent market maker, which operates as a resolver for 1inch Fusion, said two wallets hold roughly $3 million each and a third holds about $700,000. The firm posted on X that it was open to a bug bounty and a negotiated resolution.
The TrustedVolumes exploit was first flagged by Blockaid, which detected unauthorised activity through its monitoring system. Blockaid initially pegged the loss at $5.87 million, including Wrapped Ether, USDT, Wrapped Bitcoin, and USDC. CertiK later identified the attack vector: the attacker registered as an authorised order signer via a public function, then used that permission to drain funds from targeted wallets.
TrustedVolumes exploit structure and impact
The exploit hit TrustedVolumes’ custom swap infrastructure, which the firm operates independently. The attack did not breach the core 1inch protocol. TrustedVolumes acts as a liquidity provider across multiple protocols, including 1inch, but runs its own contracts. That separation meant user funds held directly within 1inch’s infrastructure remained untouched.
1inch moved quickly to clarify the position. In a post on X, the platform said reports linking it to the TrustedVolumes exploit were misleading.
