Overview
- TrustedVolumes disclosed Thursday it lost about $6.7 million and shared three wallet addresses holding the stolen funds with roughly $3 million, $3 million, and $700,000.
- Blockaid identified the hit contract as TrustedVolumes’ resolver on Ethereum and counted about 1,291 WETH, 206,282 USDT, 16.93 WBTC, and 1.26 million USDC taken.
- Analysts linked the operator to the March 2025 1inch Fusion V1 incident while stressing that this breach used a different flaw in a TrustedVolumes-controlled request-for-quote proxy that handles quotes and swaps for a market maker.
- CertiK and Cyvers reported that a public function let the attacker register as an allowed signer, replay protections did not work, the transfer source was not validated, and some funds moved through the no‑KYC service ChangeNow before being swapped to ETH.
- 1inch said its systems and user funds were unaffected and highlighted resolver trust risks, while security teams urged revoking approvals and reviewing custom proxy permissions after a month of heavy DeFi losses tied to targets like Drift and Kelp DAO.