- TrustedVolumes was exploited today, May 7, 2026 and has lost almost $6.7 million.
- The attackers discovered a flaw in the proxy contract and by exploiting the flaw, the attackers managed to drain funds.
- The breach highlights rising security threats across DeFi infrastructure.
Today, on May 7, 2026, alerts from blockchain security firm Blockaid signaled that TrustedVolumes, a major liquidity provider and market maker for the 1inch ecosystem, had been exploited on the Ethereum network. The attacker extracted approximately $6.7 million in assets (according to TrustedVolumes), including 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC, according to Blockaid and Web3 security firms.
The incident is being investigated as a sophisticated smart-contract exploit rather than a traditional phishing smart-contract exploit or social engineering attack, underlining persistent vulnerabilities in decentralized finance (DeFi) protocols.
What Went Wrong in the TrustedVolume Exploit?
At the centre of all this chaos was a custom RFQ (Request for Quote) swap proxy contract, 0xeeee….1756, controlled by TrustedVolumes. The attacker, operating from the address 0xc3eb….9100, deployed a malicious contract that first called ‘registerAllowedOrderSigner(signer=0xc3eb…9100, allowed=true)’ on the settlement contract, effectively granting itself authorization to execute trades.
Leveraging the TrustedVolumes Market Maker’s unlimited approval to the settlement contract, the attacker initiated multiple settlement transaction, using selector 0x4112e1c2 to withdraw large amounts of WETH, USDT, WBTC and USDC units to the market maker. This allowed the attacker to drain the liquidity pool before the funds were transferred back to the exploit address.
Security analyses indicate that the vulnerability stemmed from insufficient access controls and lack of strict validation checks in the RFQ swap proxy. A core admin function was left publicly accessible and it did not have any restrictions. This allowed the attacker to bypass security checks and exploit the contract.
This mirrors earlier incidents, such as the March 2025 1inch Fusion v1 exploit, where similar oversights in legacy smart contracts allowed attackers to drain liquidity, though the current exploit targets different contract component. The attack indicates the risks of custom, high risk pathways in DeFi systems that interact directly with large liquidity pools.
TrustedVolumes Opens Bug Bounty Talks After $6.7 Million Exploit
TrustedVolumes publicly acknowledged the recent exploit and confirmed through an X (formerly known as Twitter) post that several wallet addresses are currently holding the stolen funds. The team in the post also talks about the estimated loss which was around $6.7 million across multiple Ethereum addresses.
In its statement, TrustedVolumes said that the platform is open to discuss with the attacker over a possible bug bounty agreement and a workable resolution.
The protocol also shared direct contact details, including ProtonMail and Telegram, so anyone with useful information can reach out and potentially help recover stolen assets. The incident once again highlights rising security risks for DeFi protocols and liquidity providers.
Is This Exploit Similar to Recent DeFi Attacks?
The TrustedVolumes exploit shares parallels with several high-profile DeFi breaches in 2026, particularly those involving cross-chain and restaking protocols. Moreover, the Drift Protocol exploit on Solana, which resulted in a $285 million loss, utilized social engineering to compromise the protocol’s multisig governance and durable nonces, allowing pre-signed transactions to be executed.
In the same way, KelpDAO exploit, linked to approximately $292-294 million in losses, exploited vulnerabilities in its LayerZero-based rsETH bridge, where manipulated cross-chain messaging led to the issuance of unsupported rsETH tokens.
These incidents collectively highlight a trend: custom, high-complexity components in DeFi, such as RFQ proxies, cross-chain bridges, and governance mechanisms, are prime targets for sophisticated actors. The TrustedVolumes exploit, like the Drift and KelpDAO cases, demonstrates how single points of failure in smart contracts or infrastructure can trigger cascading effects across the ecosystem.
Additionally, the Lazarus Group, a North Korea-linked hacking collective, has been associated with such large-scale DeFi heist, leveraging their expertise in cross-chain attacks and operational flaws.
The Role of AI in Exploits: The Lazarus Theory
There are speculations going around that the Lazarus group may be leveraging artificial intelligence (AI) to accelerate and automate exploit discovery. AI tools can analyze vast amounts of on-chain data, identifying patterns in contact interactions, gas usage, and user behaviour to pinpoint vulnerabilities faster than traditional methods.
For example, machine learning models can simulate attack scenarios, optimizing for maximum yield in minimal time, as seen in cross-chain exploits targeting protocols like KelpDAO.
Impact on DeFi and the Broader Ecosystem
The TrustedVolumes exploit adds to a wave of high-value DeFi hacks in 2026, contributing to more than $13-15 billion in TVL (Total Value Locked) outflows across major protocol like Aave and Compound. These incidents have eroded user confidence, with many platforms halting operations or implementing emergency pauses to mitigate further losses.
The repeated targeting of market makers and liquidity providers highlight systemic risks, as disruptions in these roles can cascade into broader liquidity crunches and price volatility.
For protocols like KelpDAO and Drift, the impact includes not only direct financial losses but also reputational damage and regulatory scrutiny. The KelpDAO rsETH bridge exploit, for example led to questions about the security of cross-chain infrastructure, prompting calls for enhanced audits and isolations of critical components.
Similarly, the Drift exploit emphasized the need for robust governance and multi-signature safeguards. The TrustedVolumes incident serves as a reminder that even well-audited projects with established security measures remain vulnerable to evolving attack vectors.
Recommendations for the DeFi Community
To avoid such exploits in the future, DeFi protocols should adopt strict allowlists and invariant checks for all swaps and proxy pathways, treating resolver/operator flows as high-risk surfaces.
There should be continuous on-chain monitoring, emergency kill-switch mechanisms, and regular audits are essential to detect and respond to anomalies promptly.
Additionally, isolating custom components behind robust access controls can prevent unauthorized interactions, as highlighted by the TrustedVolumes vulnerabilities.
As AI-driven attacks become more sophisticated, collaboration between security firms and AI developers is crucial to develop proactive defenses. The DeFi ecosystem must prioritize transparency, resilience, and rapid response to maintain trust and make sure there is sustainable growth.
With the KelpDAO and Drift Protocols under increased scrutiny, the lessons from incidents like TrustedVolumes could shape a more secure future for decentralized finance.
Also Read: Bitcoin Surges Past $81K While Altcoins Hint at a Comeback
