TrustedVolumes, a DeFi liquidity provider and market maker, lost roughly $6.7 million in a smart contract exploit Thursday night. The attacker targeted a vulnerability in the protocol's signature validation logic, bypassing authorization to forge trading orders. Initial assets stolen included WETH, WBTC, USDT, and what appears to have been USDC — the hacker later swapped everything for 2,513 ETH on a DEX and spread the funds across three addresses.
How the exploit worked
The vulnerability sat in TrustedVolumes' custom RFQ swap proxy contract. A public registration function lacked permission modifiers, meaning anyone could register themselves as an authorized order signer. That's exactly what the attacker did — then used that forged authorization to drain liquidity. TrustedVolumes confirmed the incident on X, updating the estimated loss to $6.7 million and sharing the addresses holding the stolen funds.
Same attacker, different method
This isn't the first time. The same hacker was behind a $5 million exploit of the 1inch Fusion V1 Settlement contract in March 2025, where TrustedVolumes was the primary victim. But the two attacks differed technically. The 2025 breach used low-level EVM memory manipulation. The 2026 version exploited a far simpler flaw: a public whitelist registration that should never have been public.
In the 2025 incident, the hacker proactively negotiated a return of funds for a white hat bounty, and most assets were returned. TrustedVolumes said this week it's open to constructive communication regarding a bug bounty and a mutually acceptable resolution. No word yet on whether the attacker will engage.
1inch, meanwhile, clarified that its own systems, infrastructure, and user funds were not impacted. TrustedVolumes operates independently as a liquidity provider used by multiple protocols.
April's staggering hack tally
The timing isn't great for the broader DeFi space. April 2026 saw 40 major hacks drain roughly $647 million — a 1,140% month-over-month jump from March's $52.2 million, and a 292% surge from Q1's $165 million. Two incidents — Drift Protocol ($285 million) and KelpDAO ($290 million) — accounted for 91% of April's losses and rank among the top 10 hacks since 2021.
TrustedVolumes' $6.7 million loss is smaller by comparison, but the fact that the same individual struck them twice underscores how persistent these attackers can be.
