Attacker Drains $6.7M From 1inch Market Maker TrustedVolumes
An attacker exploited TrustedVolumes’ RFQ swap proxy and resolver on Ethereum on May 7, draining about $6.7 million in WETH, USDT, WBTC and USDC.
An attacker exploited a request-for-quote (RFQ) swap proxy and a resolver contract tied to TrustedVolumes, a liquidity provider and market maker associated with 1inch, on Ethereum on May 7, 2026. The incident drained roughly $6.7 million in wrapped tokens and stablecoins.
Security firm Blockaid reported the exploit hit TrustedVolumes’ resolver contract at 0x9bA0CF1588E1DFA905eC948F7FE5104DD40EDa31. The primary transaction originated from wallet 0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100. Initial on-chain calculations put the seized assets at about $5.87 million, comprising 1,291.16 WETH, 206,282 USDT, 16.939 WBTC and 1,268,771 USDC. TrustedVolumes confirmed the breach and indicated total losses now exceed $6.7 million and that it is considering a bug bounty.
PeckShieldAlert reported the attacker later consolidated the stolen tokens into approximately 2,513 ETH through internal swaps using a custom proxy. The RFQ swap proxy implicated in the exploit is at address 0xeEeEEe53033F7227d488ae83a. Blockaid noted the vulnerability targeted TrustedVolumes’ custom RFQ implementation rather than the Fusion V1 codebase used in a March 2025 incident that yielded about $5 million.
On-chain traces show the attacker routed funds through a sequence of swaps and proxy calls before converting much of the haul to ETH. Those steps changed token types and consolidated balances, actions commonly used to move funds across decentralized finance protocols and reduce traceability.
The TrustedVolumes breach is one of several DeFi incidents recorded in early May 2026. Security monitoring has flagged five major breaches in the same period with combined losses exceeding $8 million. April 2026 saw a larger cluster of attacks with substantially higher aggregate theft across multiple protocols.
TrustedVolumes has not published a full technical post-mortem. Blockchain security teams and the project continue to monitor the wallets and contract addresses linked to the exploit for any further movement of assets and potential recovery avenues.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.
Articles by this author
