The latest crypto hack is making headlines, and this time it has a familiar name attached. On May 7, 2026, security firm Blockaid flagged an active DeFi exploit draining funds from TrustedVolumes, a 1inch liquidity provider. By the time the dust settled, about $6.7 million in stolen crypto had moved across three Ethereum wallets. Here’s what happened, why 1inch itself wasn’t hacked, and what you should do if you’ve ever used 1inch Fusion.
What is TrustedVolumes?
Before we get into the TrustedVolumes exploit, a quick word on what TrustedVolumes actually does.
TrustedVolumes is a market maker — a company that provides liquidity (the funds available for trading) to crypto exchanges. It works as a resolver for 1inch Fusion, which means it helps fill trade orders that come through the 1inch app. Think of it like a wholesaler that supplies products to a store. The store (1inch) shows you the product. The wholesaler (TrustedVolumes) actually has it in stock.
That distinction matters a lot here, as you’ll see in a moment.
How the TrustedVolumes Exploit Happened
The Block reported that Blockaid detected suspicious activity on a TrustedVolumes contract on Ethereum. The attacker had found a way to drain funds without needing your wallet to approve any new transaction.
Here’s how it worked, in plain terms:
- The attacker found a public function in the TrustedVolumes resolver contract that anyone could call.
- They used that function to register themselves as an “Allowed Order Signer” — basically promoting themselves to a trusted role.
- Once promoted, they used old token approvals (permissions you’d given the contract earlier) to move funds out of wallets.
- They drained the contract through about 85 rapid transactions before security teams could react.
The scary part? Users didn’t have to click anything. If you’d ever used the affected contract before, your old approvals were enough for the attacker to move funds.
How Much Was Stolen?
Blockaid’s initial estimate put losses at $5.87 million. TrustedVolumes later confirmed the total was closer to $6.7 million, spread across three Ethereum wallets:
- Wallet 1: ~$3 million
- Wallet 2: ~$3 million
- Wallet 3: ~$700,000
The stolen crypto breakdown, per blockchain analytics firm PeckShield:
- 1,291 WETH (Wrapped Ether)
- 16.9 WBTC (Wrapped Bitcoin)
- 206,282 USDT (Tether stablecoin)
- 1,268,771 USDC (Circle stablecoin)
The attacker has already started swapping the stolen funds — converting WBTC and stablecoins into ETH to move them faster.
Was 1inch Hacked?
No. And this is the key point we want to clear up for you.
Despite headlines that read 1inch hack, the protocol itself was not breached. 1inch released a statement saying: “We are aware of misleading reports relating to an exploit involving TrustedVolumes. We can confirm that neither 1inch nor any of the 1inch protocols are involved.”
1inch co-founder Sergej Kunz added that TrustedVolumes operates independently and serves multiple platforms — not just 1inch. The exploit hit TrustedVolumes’ own custom contract, not 1inch’s core system.
So why did everyone call it a 1inch hack? Because TrustedVolumes is one of the main liquidity providers that powers 1inch Fusion trades. When their contract gets drained, 1inch users notice fast.
Why This Matters: The Repeat Attacker
Here’s the part that makes this DeFi exploit more interesting than usual. The attacker is the same operator behind the March 2025 1inch Fusion V1 hack that drained roughly $5 million from market makers.
Two attacks, same person, 14 months apart. But there’s a twist: this time the vulnerability is different.
- March 2025: The attacker abused a legacy settlement path in 1inch Fusion V1, tricking bots into sending liquidity to a malicious address.
- May 2026: The attacker exploited a custom RFQ (Request for Quote) swap proxy controlled by TrustedVolumes — a different weakness in a different contract.
That tells us something important. The attacker isn’t just lucky — they’re actively studying market maker infrastructure, looking for repeat opportunities. The first hack was patched. They came back and found a new door.
What You Should Do Right Now
If you’ve ever used 1inch Fusion or interacted with TrustedVolumes contracts, take a few minutes to check your old token approvals. Here’s a simple checklist for you:
- Visit a tool like Revoke.cash to see all active token approvals on your wallet.
- Look for anything tied to TrustedVolumes resolver contracts or older 1inch Fusion routes.
- Revoke any approvals you no longer need.
- Going forward, never grant unlimited approvals unless absolutely necessary. Set a specific amount when you can.
This is good hygiene regardless of this hack. Old approvals are one of DeFi’s biggest hidden risks. They stay active long after you’ve stopped using a protocol.
The Bigger Picture: DeFi Hacks in 2026
The TrustedVolumes exploit is the fifth major DeFi exploit in the past month alone. Per DefiLlama data, total stolen crypto in April 2026 hit roughly $635 million — the worst month since the $1.5 billion Bybit hack in February 2025.
Other big crypto hacks in recent weeks:
- Drift Protocol: $285 million social engineering attack
- Kelp DAO: $293 million exploit
- Wasabi Protocol: $5+ million via compromised admin key
- Ekubo: ongoing exploit, users urged to revoke approvals
The trend is clear. Crypto hacks in 2026 are getting bigger, faster, and more sophisticated. Many of them target third-party infrastructure — not the front-end protocols you know — so your funds can be at risk even when the main app is fine.
For now, TrustedVolumes says it’s open to a bug bounty deal with the attacker, similar to what worked in the 2025 case. Whether the funds come back this time is anyone’s guess.
The post Latest Crypto Hack: 1inch Liquidity Provider TrustedVolumes Drained for $6.7M appeared first on Memeburn.
