TrustedVolumes attacker returns $2M in ETH, keeps another $2M bounty

A TrustedVolumes attacker has returned 1,122 ETH worth about $2M, while keeping another $2M as a self-declared bounty. Blockaid linked the May exploit to TrustedVolumes’ custom RFQ swap proxy and reported the returned ETH represents only a partial recovery from an initial ~$5.87M drain from a contract controlled by the liquidity provider. TrustedVolumes previously said the total loss had reached roughly $6.7M and that stolen assets were held across three addresses (about $3M, $3M, and $700K). Before consolidation, Blockaid identified drained tokens including WETH, USDT, WBTC, and USDC; PeckShield later said the attacker exchanged them and gathered proceeds into about 2,513 ETH. The security findings point to missing access controls in a public function used by the proxy: the attacker could register an approved order signer, use faulty replay protection, and direct the proxy to pull tokens from the TrustedVolumes inventory vault. The report notes 1inch’s core aggregation and standard user routes were not compromised. At the time of writing, TrustedVolumes had not confirmed whether it accepted the attacker’s bounty terms. The TrustedVolumes attacker’s partial repayment may reduce immediate sentiment around the incident, but the underlying exploit mechanics and unchanged retained funds keep the news risk-relevant for DeFi liquidity providers and RFQ-style trading infrastructure.
Neutral
Impact is likely neutral. The TrustedVolumes attacker has returned part of the stolen ETH, which can ease short-term fear for traders who were worried about further cascading losses. However, the attacker still keeps roughly the same dollar value as the returned amount, so the headline confirms that a meaningful portion of funds remains outside recovery. Mechanically, the report highlights access-control and replay-protection failures in a custom RFQ swap proxy rather than a system-wide issue in 1inch. That reduces the probability of immediate, broad market contagion, but it raises longer-term risk for DeFi venues using similar RFQ/proxy authorization patterns. Historically, partial repayments after DeFi exploits often lead to a brief sentiment rebound, while follow-up disclosures about retained funds and root-cause vulnerabilities tend to keep traders cautious—particularly for liquidity providers, market makers, and RFQ-based execution routes. Expect limited market-wide movement, with more selective repricing of risk for affected infrastructure.