Skip to main content
4 min read

TrustedVolumes Exploit: $6.7M
Drained via RFQ Proxy Signer Bypass

$6.7 million drained from TrustedVolumes on Ethereum after a custom RFQ proxy signer bypass let attackers execute unauthorized orders against approved funds.

AUTOSEC.DEVAUTOSEC.DEV
TrustedVolumes Exploit: $6.7M Drained via RFQ Proxy Signer Bypass
  • Incident Date: May 7, 2026
  • Target: TrustedVolumes RFQ resolver / custom swap proxy on Ethereum
  • Target Overview: TrustedVolumes is an independent DeFi liquidity provider and resolver used in RFQ-style swap execution. Public reports tied the exploit to TrustedVolumes' own resolver and custom RFQ proxy, not to 1inch core protocol contracts.
  • Total Loss: ~$6.7 million
  • Attack Vector: Signer Authorization Bypass / Broken Replay Protection / Unvalidated Transfer Source

Incident Review & Technical Details

1. Attack Path

  1. Resolver Contract Became the Execution Surface: Public reporting identified TrustedVolumes' Ethereum resolver as 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31, with the affected custom RFQ swap proxy reported as 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756.
  2. Unauthorized Order Execution: Blockaid and Cyvers attributed the incident to a custom swap proxy path that allowed unauthorized order execution. The publicly described failure mode centered on signer authorization: an attacker could get malicious order data accepted where only TrustedVolumes-controlled signers should have been valid.
  3. Replay and Transfer-Source Controls Failed: Cyvers reported broken replay protection and an unvalidated transfer source field. In practical terms, the order flow appears to have trusted attacker-influenced execution context enough to pull assets through the resolver/proxy path.
  4. Initial Main Transaction Drained ~$5.87 Million: The primary transaction publicly tracked on Etherscan moved approximately 1,291 WETH and 206,282 USDT, with early monitoring estimates putting that transaction at about $5.87 million.
  5. Confirmed Loss Expanded to ~$6.7 Million: TrustedVolumes later confirmed an aggregate loss of about $6.7 million and said the stolen funds were being held across three Ethereum addresses at the time of its statement.

2. Impact Scope

  • Protocol-Level Loss: TrustedVolumes confirmed approximately $6.7 million in stolen funds.
  • Affected Component: The known exploit surface was TrustedVolumes' custom RFQ resolver/proxy flow on Ethereum.
  • 1inch Exposure: Public reports framed TrustedVolumes as a third-party resolver and market maker in the 1inch ecosystem. Reviewed sources did not report a compromise of 1inch core contracts or a broad 1inch user-fund loss.
  • Asset Scope: Early transaction analysis identified WETH and USDT in the main drain transaction. Other reports described the stolen funds as spread across three Ethereum wallets after the exploit.
  • Operational Impact: The incident created immediate market-maker and resolver risk rather than a publicly reported protocol-wide liquidity-pool failure.

3. Official Statements

  • TrustedVolumes: On May 7, 2026, TrustedVolumes said it had identified a $6.7 million exploit, was investigating the incident, and was open to constructive communication with the party controlling the funds.
  • 1inch Ecosystem Context: 1inch-related reporting described TrustedVolumes as an independent resolver / market maker and emphasized that the vulnerable component was outside the 1inch core protocol.
  • Security Monitoring Firms: Blockaid first flagged the active drain and identified the affected resolver path. Cyvers' reporting described the failure as involving permissionless signer registration, broken replay protection, and an unvalidated transfer source.

4. Investigation Progress

As of May 8, 2026, TrustedVolumes had not published a full technical post-mortem with complete root-cause code diffs, final recovered-fund status, or a confirmed remediation timeline. The most reliable public picture is therefore a chain-level exploit of a TrustedVolumes-controlled RFQ execution path, with public security-firm analysis pointing to signer and order-validation failures.

The key unanswered questions are operational rather than cosmetic: whether the vulnerable proxy was fully disabled, whether signer registration and replay protections have been patched, whether any other resolvers share the same code path, and whether the three fund-holding wallets have entered recovery negotiations or started laundering through mixers, bridges, or exchanges.

AUTOSEC.DEV Solution

RFQ resolvers sit at a dangerous boundary: a small mistake in signer validation, replay control, or transfer-source binding can turn approved settlement flow into a direct asset drain.

  1. Secure Code Review - TrustedVolumes' exploit was publicly tied to signer authorization and replay weaknesses in a custom RFQ proxy. AUTOSEC.DEV reviews resolver contracts, EIP-712 domain separation, signer registration, nonce handling, transfer-source validation, and approved-spender assumptions before those paths handle market-maker inventory.
  2. Penetration Testing - RFQ bugs often require end-to-end order-flow testing, not only isolated function review. We reproduce attacker workflows on forks and staging systems, including invalid signer attempts, stale signature replay, malicious source fields, and settlement calls that should never reach token-moving code.
  3. Incident Response - For active resolver drains like TrustedVolumes, containment depends on fast proxy disablement, wallet and allowance scoping, transaction tracing, and recovery coordination with exchanges and counterparties. AUTOSEC.DEV supports triage, forensic reconstruction, and post-incident hardening so the same execution path cannot reopen.

Reference