Liquidity provider TrustedVolumes, a market maker and resolver used by 1inch Fusion and other protocols, confirmed on Thursday that it had been drained for roughly $6.7 million in an exploit on the Ethereum network.
Web3 security firm Blockaid first flagged the attack, putting initial losses at $5.87 million. Blockaid said the vulnerability sat in a TrustedVolumes-controlled custom request-for-quote swap proxy, separate from the Fusion V1 bug exploited last March.
Stolen assets include 1,291 wrapped Ether, 16.9 wrapped Bitcoin, 206,282 USDT, and roughly 1.27 million USDC, per Blockaid.
In a statement, TrustedVolumes confirmed the exploit and updated the loss figure to about $6.7 million, split across three wallets, with two holding roughly $3 million each and a third with about $700,000. The team said it was open to "constructive communication" and a "mutually acceptable resolution," language that echoes the bug bounty negotiations which recovered most of the funds drained from TrustedVolumes resolvers during the March 2025 attack.
1inch moved quickly to distance itself. In an X post, the DEX aggregator called reports linking it to the breach "misleading," adding that "neither 1inch nor any of the 1inch protocols are involved" and that there was "no impact on 1inch systems, infrastructure or user funds." 1inch co-founder Sergej Kunz separately noted that TrustedVolumes operates independently across multiple protocols.
The incident is at least the fifth major DeFi exploit since the start of May, following an April that DefiLlama logged as the worst month on record by incident count, with 28 separate hacks totaling $635.2 million. That tally was headlined by the $293 million Kelp DAO bridge breach and the $285 million Drift Protocol drain.
This article was written with the assistance of AI workflows. All our stories are curated, edited and fact-checked by a human.