TrustedVolumes exploit confirmed: $6.7M RFQ swap theft, talks sought

TrustedVolumes confirmed the TrustedVolumes exploit involved a custom RFQ (request-for-quote) swap proxy under its control, with losses totaling about $6.7M on Ethereum. Blockchain firm Blockaid previously traced nearly $6M to TrustedVolumes’ Ethereum resolver contract, and incident reports connect the exploiter to the same operator behind the March 2025 1inch Fusion v1 incident, though the flaw is in TrustedVolumes-controlled infrastructure. Technically, the TrustedVolumes exploit targeted the privileged RFQ proxy design. TrustedVolumes says 3 wallet addresses hold the stolen assets (about $3M, $3M, and $700K). The firm is “open to constructive communication” and proposes a bounty-style, mutually acceptable solution. Security lead Hakan Unal (Cyvers) attributed the root cause to permissionless signer registration, broken replay protection, and an unvalidated transfer source field—raising concerns that drainage could have been repeated from approved accounts. 1inch rejected any direct involvement, stating its core aggregation contracts and user funds were “no impact,” while acknowledging it uses TrustedVolumes as one of many resolvers. Key cited flows include roughly 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC routed from the Ethereum resolver. For traders, the main near-term concern is counterparty confidence around 1inch-adjacent liquidity and RFQ infrastructure. If the TrustedVolumes exploit funds are returned, sentiment could stabilize; if not, risk premiums may rise for affected DeFi liquidity venues tied to resolver/RFQ flows.