The TrustedVolumes exploit on Ethereum drained at least $5.87 million before the final count climbed higher. Blockchain security firm Blockaid’s detection system caught the attack mid-drain on May 7, flagging an ongoing breach on TrustedVolumes’ resolver contract at 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31. The attacker address, 0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100, had been seen before.
TrustedVolumes later confirmed the full loss at $6.7 million, split across three wallets, two holding roughly $3 million each and a third around $700,000. The firm said it was open to bounty negotiations.
As Blockaid posted on X, the stolen assets at first count included 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC, with total extraction sitting near $5.87 million before TrustedVolumes revised the figure upward.
“Blockaid’s exploit detection system has identified an on-going exploit on TrustedVolumes (1inch market maker/resolver). Same operator as the March 2025 1inch Fusion V1 incident; this is a different vulnerability, in a TrustedVolumes-controlled custom RFQ swap proxy.”
That last detail matters. A different vulnerability, not the same one patched after March 2025.
Not the First Time This Hand Appeared
The March 2025 Fusion V1 incident cost roughly $5 million. Most of it came back under a bounty arrangement, the attacker keeping a portion as a finder’s fee. This time the weak point sits in a TrustedVolumes-controlled custom RFQ swap proxy at 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756, according to Blockaid’s on-chain analysis. The attacker registered as an authorized order signer through a public function, then used that permission to drain assets from targeted wallets.
Blockaid followed up on X to correct early coverage that framed the breach as a 1inch protocol failure.
“The security incident affected @trustedvolumes, one of hundreds of independent liquidity providers/market makers on 1inch. Importantly, the @1inch itself was not exploited, and there was zero impact on the protocol, its infrastructure, or any users.”
1inch had already moved to push back on those reports. In a statement posted on X, the protocol called coverage linking it directly to the breach misleading.
“We are aware of misleading reports relating to an exploit involving TrustedVolumes. We can confirm that neither 1inch nor any of the 1inch protocols are involved. There is no impact on 1inch systems, infrastructure or user funds. TrustedVolumes operate independently as a liquidity provider, used by multiple protocols across the industry, and are not exclusive to 1inch.”
Security researcher Vladimir Sobolev, known as Officer’s Notes on X, told Cointelegraph there was no risk for 1inch users. The exploit, Sobolev said, points to a wider failure in crypto security practices where vulnerabilities in custom contract logic can produce immediate losses before anyone intervenes.
May’s Damage Sheet
The TrustedVolumes breach is the fifth major DeFi exploit recorded since May 1. The month opened with three separate incidents before the week was out.
Sharwa.Finance lost $32,850 on May 1 to oracle price manipulation. Sharwa posted on X, acknowledging the stress on users and partners and stating the protocol would not be closing.
“This was my first experience facing a hack, the anxiety and stress were immense. We’ve been building Sharwa since 2022, step by step. Sharwa isn’t closing. We’re not quitting.”
The same day, Bisq reported $858,000 drained through a fake Bisq V1 client. Bisq Network disclosed on X that open offers were targeted over 12 hours, with funds in users’ Bitcoin wallets untouched. A follow-up thread from Bisq on X flagged the growing role of AI-assisted attacks in the incident. Full reimbursement planning details appeared on the Bisq community forum.
April 30 brought the largest single loss of the stretch. Wasabi Protocol posted on X that it was investigating an issue and urged users not to interact with its contracts.
Blockaid identified the breach on X as an admin-key compromise. The deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then upgraded the perp vaults and LongPool. HypernativeLabs reported on X that roughly $5 million was drained across three chains in a coordinated attack. PeckShieldAlert confirmed on X the chains affected were Ethereum, Base, Berachain, and Blast. CertiKAlert’s early tracking on X pegged the initial figure at $2.9 million before the full $5.5 million emerged.
SmartCredit followed on May 4. SmartCredit disclosed on X that its Leveraged Lido module was hit by a flashloan attack draining $72,000. Per SlowMist’s incident database, the protocol’s Loss Provision Fund would cover the gap for affected stakers.
Ekubo and the Callback Flaw
May 5 added Ekubo Protocol to the list. Ekubo posted on X that an active security incident was affecting its swap router contract on EVM chains, with Starknet and liquidity providers confirmed unaffected.
Blockaid flagged the Ekubo breach on X, reporting the attacker executed 85 transactions, each pulling 0.2 WBTC to a single address. The total came to $1.4 million. CertiKAlert’s post on X explained the attacker abused a flaw in the IPayer.pay callback, controlling the payer, token, and amount parameters freely. SlowMist’s log confirmed the contract failed to verify whether the payer was the lock initiator or an authorized payment source.
Core protocol users were not affected. The risk applied to anyone who had approved the v2 contract as a token spender.
Running Totals
According to data from DefiLlama cited by us, $635.2 million was stolen across DeFi in April 2026, the largest monthly figure since Bybit in February 2025. May is now building its own count. The TrustedVolumes exploit alone adds $6.7 million, and the month has produced more than $14 million in combined losses across five incidents before the second week began.
TrustedVolumes said it remains open to a negotiated resolution with the attacker. No recovery timeline has been confirmed.
