TrustedVolumes Exploit Nets $6.7M; 1inch Says Users Unaffected

TrustedVolumes, an independent market maker and resolver used by multiple protocols including 1inch Fusion, confirmed on Thursday that roughly $6.7 million in Ethereum was taken and is now held across three Ethereum addresses. Two of the addresses hold about $3 million each and a third holds about $700,000.

A Web3 security firm first flagged the ongoing exploit, initially estimating about $5.87 million had been extracted in tokens including Wrapped Ether, USDT, Wrapped Bitcoin and USDC.

Blockchain security company CertiK reported the attacker registered as an allowed order signer through a public function on TrustedVolumes’ contracts and then used that authorization to execute orders that transferred funds. CertiK described the flaw as a permissioning issue in third‑party resolver code rather than a vulnerability in the core decentralized exchange protocol.

1inch posted on X that reports linking the breach directly to its platform were “misleading,” asserting “neither 1inch nor any of the 1inch protocols are involved.” The platform stated there was “no impact on 1inch systems, infrastructure or user funds.” Co‑founder Sergej Kunz wrote that TrustedVolumes operates independently and is one of several resolvers used by 1inch, calling the framing of the exploit “confusing and harmful.” 1inch said it is monitoring the situation with security partners and will assist where appropriate.

TrustedVolumes posted that it is open to “constructive communication” over a bug bounty and a “mutually acceptable resolution,” but did not provide technical details about the vulnerability or a timeline for recovery.

Security researcher Vladimir Sobolev, known as Officer’s Notes on X, wrote there was no risk to 1inch users and pointed to weaknesses in how third‑party infrastructure is managed. “We lack security in general. Blockchains just tend to have an immediate payoff,” he wrote, urging greater use of kill switches, monitoring and circuit breakers.

Security teams noted the attacker appears to be the same operator involved in a March 2025 exploit that targeted resolvers using an outdated Fusion v1 implementation. That earlier incident affected resolver contracts, about $5 million in assets was traced, and most of the funds were later returned after negotiations and a bug bounty agreement.

The breach involved a resolver and market‑making contracts that operate separately from a decentralized exchange’s core protocol. Vulnerabilities in such peripheral infrastructure can allow large asset transfers even when platform systems and end‑user balances remain intact.