TrustedVolumes $6.7M Exploit: Resolver Risk, Not a 1inch Protocol Breach

## TrustedVolumes turns a resolver exploit into a test of DeFi's outsourced execution layer  On May 7, 2026, [Decrypt](https://decrypt.co/367070/defi-platform-trustedvolumes-hit-by-6-7m-exploit) reported that TrustedVolumes, a liquidity provider and resolver used by multiple DeFi protocols, was exploited for about $6.7 million. The same incident was covered by [Cointelegraph](https://cointelegraph.com/news/1inch-fusion-resolver-trusted-volumes-floats-bounty-after-67m-exploit), which said TrustedVolumes confirmed the stolen funds were sitting across three Ethereum addresses, two holding about $3 million each and one holding about $700,000. The number moved during the day. Blockaid's earlier public estimate was about $5.87 million, with extracted assets including roughly 1,291 WETH, 206,282 USDT, 16.93 WBTC and 1.26 million USDC. The later $6.7 million figure matters because it came after TrustedVolumes listed the wallets and opened the door to bug bounty discussions. That sequence is useful: first came security-firm detection, then public attribution, then a negotiation channel. ### The two-source picture: same incident, different emphasis Decrypt leans into the technical diagnosis. Hakan Unal of Cyvers described a mix of permissionless signer registration, broken replay protection and an unvalidated transfer-source field. Cointelegraph puts more weight on the market-structure boundary, noting CertiK's account that the attacker registered as an allowed order signer through a public function and then used that authorization to move funds from targets.  Those accounts are not contradictory. They describe different layers of the same failure: who could become trusted, whether a signed action could be reused, and whether the contract checked where assets were really coming from. For a resolver, that combination is dangerous because the business role is built around fast execution and trusted routing. ## The security fault line is signer control, not only stolen token balances The immediate loss number is easy to understand, but it is not the whole security story. A resolver or market maker can sit close to order flow while still operating contracts outside the core DEX protocol. That creates a gray zone for readers: the affected infrastructure can be connected to a familiar trading route without being the protocol itself. ### Why replay protection and source validation change the risk boundary If signer registration is too open, an attacker may become part of the permission layer. If replay protection fails, an authorization path can be used more than once. If the transfer source is not validated, the contract may move assets from places the signer was never meant to control. The risk boundary therefore sits at the contract permissions layer, not at a simple front-end label such as a swap interface. That distinction also explains why the same attacker history matters. Blockaid and other researchers linked the operator to the March 2025 1inch Fusion V1 resolver incident, while stressing that the latest attack used a different vulnerability. The pattern is not a copy-and-paste repeat. It is a sign that resolver-specific infrastructure remains attractive when previous security reviews close one path but leave adjacent assumptions in place. ## 1inch's denial narrows the blast radius, but it does not remove integration risk 1inch said reports linking the breach directly to its own protocols were misleading and stated that its systems, infrastructure and user funds were not affected. Sergej Kunz, 1inch's co-founder, also said TrustedVolumes operates independently and is one of many resolvers used by the market. > There is no impact on 1inch systems, infrastructure or user funds. > -- 1inch statement cited by Decrypt and Cointelegraph That boundary is important, but it should not be read as the end of the story. In DeFi execution, independence and interconnection often exist at the same time. A third-party resolver can fail without compromising the core protocol, yet the event can still expose routing, vetting and monitoring assumptions in the broader execution stack. ### Redundancy worked only if users were actually routed away from the weak point 1inch told Decrypt that if a provider is unavailable or compromised, others can continue serving users. That is the right design principle for an aggregator. The verification question is narrower: how quickly the affected resolver was isolated, whether any approvals remained exposed, and whether other resolvers use similar custom proxy patterns. ## The broader DeFi lesson is about outsourced trust under real-time settlement Traditional finance can often slow down reconciliation after a vendor incident. DeFi has less room for delay because settlement, authorization and asset movement happen inside the same on-chain execution path. When a trusted component fails, the payout can be immediate. This is why kill switches, monitoring and circuit breakers keep coming up in security commentary. They are not decorative controls. They are the mechanisms that decide whether a resolver failure remains a contained vendor incident or turns into repeated unauthorized transfers. ### The verification frame after the exploit The practical checks are concrete. TrustedVolumes would need to disclose the affected contract path, explain how signer registration was constrained, and show that replay protection and transfer-source validation were repaired. Integrators need to say whether similar resolver contracts were reviewed, not only whether their core protocol avoided direct compromise. If the stolen funds move into a bounty settlement, that may reduce the final economic loss. It would not by itself prove that the execution layer is safer. The stronger signal would be a postmortem that maps the exact trust assumptions and shows which integrations changed because of it. --- Author: Coinalx Editorial Team｜First published: 2026-05-07 | Last updated: 2026-05-07 Source: [decrypt.co](https://decrypt.co/367070/defi-platform-trustedvolumes-hit-by-6-7m-exploit)