DeFi Platform TrustedVolumes Hit By $6.7M Hack As 2026 Exploits Surge
Another multi-million-dollar assault has hit the DeFi sector after liquidity supplier and market maker TrustedVolumes fell sufferer to a sensible contract exploit on Thursday night time.
TrustedVolumes Hit By $6.7M Hack
On Thursday, DeFi platform TrustedVolumes, one among 1inch liquidity suppliers and market makers, suffered a brand new exploit that drained hundreds of thousands of {dollars} in a number of belongings from the challenge.
According to reviews from blockchain safety corporations PeckShield and Blockaid, the attacker stole roughly $6 million in Wrapped Ethereum (WETH), Wrapped Bitcoin (WBTC), USDT, and USDT after exploiting a vulnerability within the protocol’s core signature validation logic, which allowed them to bypass authorization checks and forge buying and selling orders.
Notably, the hacker shortly exchanged all belongings for two.513 ETH on a Decentralized Exchange (DEX) and distributed them throughout three addresses. In an X publish, TrustedVolumes confirmed the incident, sharing the addresses at present holding the stolen funds and updating the estimated loss to roughly $6.7 million.
The vulnerability was a TrustedVolumes-controlled customized RFQ (request for quote) swap proxy. Crypto researcher Humphrey explained that “the Custom RFQ Swap Proxy contract accommodates a perform designed to handle the ‘approved order signer’ whitelist. Such whitelist mechanisms are frequent in DeFi—solely addresses on the whitelist can challenge legitimate transaction directions on behalf of the protocol.”
However, he famous that “this registration perform is public and lacks any permission modifiers.” As a outcome, the attacker exploited this public perform throughout the contract, registering themselves as a licensed order signer.
“Since any exterior handle can name this perform, it’s equal to giving everybody the power to make a duplicate of the secure’s key,” the researcher continued.
Same Hacker, Different Attack
The on-line reviews revealed that the attacker was the identical hacker responsible for the $5 million 1inch Fusion V1 Settlement contract exploit in March 2025, which TrustedVolumes was the first sufferer.
Humprey highlighted that whereas the identical particular person carried out each attacks, they had been considerably totally different on a technical degree. According to the publish, the 2025 vulnerability concerned low-level EVM reminiscence manipulation within the 1inch Fusion V1 Settlement contract.
At the time, the hacker “proactively initiated on-chain negotiations,” providing to return the stolen belongings for a white hat bounty. The DeFi platform accepted the proposal, and a lot of the funds had been safely returned.
Now, TrustedVolumes affirmed that it’s “open to constructive communication relating to a bug bounty and a mutually acceptable decision.”
Decentralized change aggregator 1inch clarified that there was no affect on its programs, infrastructure, or person funds, explaining that “TrustedVolumes function independently as a liquidity supplier, utilized by a number of protocols throughout the business, and usually are not unique to 1inch.”
DeFi Exploits See Historic Surge
This assault follows a wave of exploits that has shaken the DeFi sector over the previous month. Last week, PeckShield revealed that the crypto house noticed 40 main hacks in April, which drained roughly $647 million.
This determine represents a 1,140% Month-over-Month (MoM) improve from March’s $52.2 million. It additionally represents a 292% surge from the $165 million the DeFi sector misplaced through the first quarter of 2026.
Notably, the highest two incidents of the month, Drift Protocol’s $285 million and KelpDAO’s $290 million exploits, accounted for 91% of the funds misplaced final month. In addition, they now rank among the many Top 10 hacks since 2021.
