TrustedVolumes confirms $6.7M exploit as 1inch says its systems were not affected
Stolen funds were split across three Ethereum wallets as security firms described an allowed-signer abuse path.
TrustedVolumes, an independent resolver and market maker used by 1inch Fusion, confirmed it was exploited on May 7 and estimated about $6.7 million was stolen. 1inch publicly rejected claims of a direct breach, saying its protocols, infrastructure, and user funds were not impacted.
Key Takeaways
- TrustedVolumes confirmed an exploit and estimated about $6.7 million was stolen, held across three Ethereum addresses.
- The stolen balance was split across three wallets, with two holding about $3 million each and a third holding about $700,000.
- 1inch said reports directly linking the incident to 1inch were “misleading” and stated there was “no impact on 1inch systems, infrastructure or user funds.”
- Early forensic estimates differed, with Blockaid initially pegging extracted assets at about $5.87 million including WETH, USDT, WBTC, and USDC.
TrustedVolumes Confirms $6.7M Exploit as 1inch Rejects Direct Link
TrustedVolumes said it was exploited and that about $6.7 million in stolen funds is being held across three Ethereum addresses. The firm described the stolen funds as sitting in three wallets and signaled it is seeking a negotiated outcome, saying it is open to “constructive communication” over a bug bounty and a “mutually acceptable resolution.”
1inch moved quickly to narrow the blast radius. The aggregator said reports tying the exploit directly to 1inch were “misleading,” adding that “neither 1inch nor any of the 1inch protocols are involved” and that there was “no impact on 1inch systems, infrastructure or user funds.” Co-founder Sergej Kunz framed TrustedVolumes as an external execution counterparty, saying: “While it is true that 1inch uses TrustedVolumes as a resolver, we are one of many.”
For traders, that distinction matters. The facts available so far point to third-party execution infrastructure risk inside a resolver’s stack, not a compromise of 1inch’s core contracts or custody of user funds.
Where the Funds Went: Three Wallet Split and Competing Loss Estimates
TrustedVolumes said the stolen funds were split across three wallets: two addresses holding about $3 million each and a third holding about $700,000. That wallet-level accounting is the cleanest near-term marker for whether the attacker is attempting to launder, bridge, or negotiate.
Loss estimates are not yet fully reconciled. Blockaid’s exploit detection system flagged an ongoing Ethereum exploit targeting TrustedVolumes and initially estimated about $5.87 million extracted, including Wrapped Ether (WETH), USDT, Wrapped Bitcoin (WBTC) and USDC. TrustedVolumes later put the figure higher at about $6.7 million.
In desk terms, the right way to treat the number early is as a range until on-chain attribution and asset breakdowns converge.
How the Attack Worked: Allowed Order Signer Abuse and Custom Swap Infrastructure
Two technical threads described the likely path. CertiK said the attacker registered as an allowed order signer through a public function, then used that authorization to execute orders that transferred funds from targets. Blockaid said the attack involved a TrustedVolumes-controlled custom swap infrastructure.
The common failure mode is permissioning. If an attacker can get onto an allowlist or signer set inside resolver-run contracts, they can drain value even when the aggregator’s own systems remain intact. That is the structural risk in resolver-based execution: third parties can run bespoke contracts and operational plumbing that sit adjacent to, but outside, the aggregator’s core protocol surface.
Blockaid and security researcher Vladimir Sobolev (Officer’s Notes) also said the same operator responsible for the March 2025 1inch Fusion V1 resolver exploit carried out the latest attack, while Blockaid said the vulnerability differs this time. The repeat-operator claim raises the odds that resolver infrastructure remains a target class, even if the specific bug changes.
Signals to Watch for TrustedVolumes resolver exploited. 1inch denies
The first signal is whether funds move out of the three wallets TrustedVolumes cited, which would indicate laundering or bridging attempts, or potentially a negotiation timeline if transfers pause.
Second is remediation clarity from TrustedVolumes. Any concrete steps on contract controls, monitoring, or changes to its resolver setup will matter more than generic assurances, especially after its call for “constructive communication” and a “mutually acceptable resolution.”
Third is reconciliation of the extracted amount. Updates that explain the gap between Blockaid’s ~$5.87 million estimate and TrustedVolumes’ ~$6.7 million figure, including a final asset breakdown, will tighten risk accounting.
Finally, traders should watch for changes to resolver participation rules. Any statements from 1inch or security partners on allowlists, order-signer controls, or resolver onboarding standards would be the first sign this incident is shifting execution policy rather than just generating headlines.
The Real Trade Signal Is Resolver Counterparty Risk and Repeat-Operator Claims
I treat this as a resolver counterparty event, not a 1inch protocol breach, because 1inch explicitly said there was “no impact on 1inch systems, infrastructure or user funds” and Kunz stressed TrustedVolumes operates independently. That does not eliminate market risk. It shifts it into the execution layer where liquidity, routing, and reputation can still take a hit when headlines compress nuance.
The threshold that matters is whether resolver operators and aggregators respond with tighter signer and allowlist controls after a second incident tied to the same alleged operator. If that hardening shows up in participation rules and monitoring standards, the setup starts to look structural rather than narrative-driven, and it matters in practical terms because it changes who can safely intermediate flow and at what cost.
