\n
<\/p>\n
\n\t\t\t\t\t\t\t\t\tEarly reports framed the incident as a 1inch exploit, but the protocol clarified that it was not compromised and no user funds were affected.\t\t\t\t\t\t\t\t<\/p>\n<\/p><\/div>\n
TrustedVolumes, a liquidity provider on the Ethereum blockchain, lost about $5.9 million in funds to a hacker on Thursday.<\/p>\n
The attacker was able to exploit a vulnerability within the custom trading system used by the platform and managed to withdraw the funds, which included ETH, WBTC, as well as USDT and USDC stablecoins.<\/p>\n
According to blockchain security firm Blockaid, which caught<\/a> the exploit as it was happening, the stolen funds included 1,291 WETH, around 16.9 WBTC, roughly 206,000 USDT, and just under 1.27 million USDC.<\/p>\n The attack worked by abusing a design flaw in TrustedVolumes\u2019 custom order-settlement system, known as a Request for Quote (RFQ) proxy.<\/p>\n GoPlus Security posted a breakdown showing<\/a> that the attacker registered themselves as an authorized \u201corder signer\u201d using a function called \u201cregisterAllowedOrderSigner()\u201d that was publicly accessible.<\/p>\n The function allows anyone to designate their own address as a valid signer for trades they controlled, and while normally that would be harmless enough, the settlement function had a separate problem: it checked authorization against one address while actually pulling funds from a different one.<\/p>\n As detailed in a technical report posted<\/a> by security researcher Defi Nerd, the attacker used that gap to execute four drain transactions against the TrustedVolumes resolver contract, which had previously given the proxy permission to move its tokens.<\/p>\n According to them, each time, the proxy pulled assets from the resolver and sent only a single raw USDC unit back. Then the attacker converted the stolen WETH back into ETH and forwarded everything to their own wallet.<\/p>\n TrustedVolumes confirmed the exploit and publicly posted three wallet addresses holding the stolen funds, asking the hacker to get in touch about a \u201cbug bounty and a mutually acceptable resolution.\u201d<\/p>\n Because TrustedVolumes functions as a liquidity provider and market maker on 1inch, some early reports framed the incident as a 1inch exploit.<\/p>\n However, that is not accurate, and both 1inch and Blockaid put out statements clarifying<\/a> that the protocol itself was not compromised and no user funds on 1inch were affected.\u00a0TrustedVolumes operates independently across multiple platforms, not exclusively on 1inch.<\/p>\n The attack occurred during an especially difficult period for the DeFi ecosystem since it followed a catastrophic month of April, where more than $650 million worth of crypto was stolen<\/a> from different projects.<\/p>\n KelpDAO and Drift Protocol were the most affected, having $292 million and $285.2 million taken away from them.<\/p>\n So at $5.9 million, this latest exploit is smaller in scale. But the technical sophistication of the approach, deploying a helper contract, abusing self-service signer registration, and exploiting a maker\/funding-source mismatch in a single transaction, puts it in a different category from a simple bug or misconfiguration.<\/p>\nYou may also like:<\/h3>\n
1inch Distances Itself as DeFi Hacks Continue<\/h2>\n