1inch Market Maker TrustedVolumes Exploited for $6.7 Million — Fifth DeFi Hack of May 2026

Another DeFi exploit has landed — and this time the target is infrastructure that sits beneath some of the most widely used protocols in the space.

TrustedVolumes, a liquidity provider and market maker serving 1inch, Uniswap, MetaMask, and Ledger, was exploited for approximately $6.7 million on Ethereum on Thursday. The attack was flagged in real time by Blockaid’s exploit detection system, which identified the breach as it was actively unfolding.

The funds extracted include approximately 1,291 WETH, 206,282 USDT, 16.9 WBTC, and 1.27 million USDC — spread across three wallet addresses on Ethereum that have been publicly identified by TrustedVolumes in its post-incident statement.
This is the fifth DeFi exploit recorded in May 2026 alone, in a year that has already seen more than $6 billion in total crypto theft since January.

What Was Exploited and How

The vulnerability was not in 1inch’s protocol or infrastructure. Blockaid’s analysis identified the attack vector as a TrustedVolumes-controlled custom RFQ swap proxy — a proprietary contract operated by the market maker independently of the protocols it serves. The specific address at the center of the exploit is publicly documented on-chain.

Critically, Blockaid flagged that the operator behind this attack appears to be the same actor responsible for the March 2025 1inch Fusion V1 incident — though the vulnerability exploited this time is categorically different. Same attacker, new vector. The implication is that whoever is targeting TrustedVolumes has been studying its infrastructure across multiple attack cycles, identifying new weaknesses after the previous one was patched.

1inch moved quickly to distance itself from the incident.

“We can confirm that neither 1inch nor any of the 1inch protocols are involved. There is no impact on 1inch systems, infrastructure or user funds,” the protocol stated on X.

The team added that TrustedVolumes operates independently as a liquidity provider used by multiple protocols across the industry and is not exclusive to 1inch — clarifying that the exploit targeted the market maker’s own infrastructure, not the DEX aggregator’s contracts.

TrustedVolumes Confirms the Incident — and Opens the Door to Negotiation

TrustedVolumes confirmed the exploit in its own statement, publishing the three wallet addresses currently holding the stolen funds: approximately $3 million in each of the first two addresses and roughly $700,000 in the third.

The statement was notable for one specific detail: the protocol indicated it is “open to constructive communication regarding a bug bounty and a mutually acceptable resolution.”

That language — standard in post-exploit communications from protocols that want their funds back — signals TrustedVolumes is attempting to negotiate with the attacker rather than relying solely on law enforcement or on-chain freezing mechanisms. Whether the attacker responds is an open question, but the public acknowledgment of the stolen wallet addresses creates on-chain transparency that at least tracks where the funds currently sit.

Why TrustedVolumes Matters Beyond This Exploit

The significance of this incident extends beyond the $6.7 million figure. TrustedVolumes is not a consumer-facing protocol — most retail DeFi users have never heard of it. But it operates as critical middleware between the interfaces people use daily and the on-chain liquidity that makes those interfaces functional.

As a resolver on 1inch and a liquidity provider for MetaMask and Ledger, TrustedVolumes sits inside the execution layer of trades that millions of users initiate through wallets and aggregators they consider trusted. When that layer is compromised, the damage is contained to the market maker’s own funds — but the incident raises questions about how well the security of these intermediate infrastructure layers is scrutinized compared to the protocols and wallets they serve.

The March 2025 1inch Fusion V1 incident established that this attacker has specific knowledge of TrustedVolumes’ infrastructure and the patience to return for a second attempt. That pattern — study, attack, patch, return with a new vector — is consistent with sophisticated threat actors who treat individual market makers as long-term targets rather than one-time opportunities.

May 2026 Is Becoming a Significant Month for DeFi Security

This is the fifth DeFi exploit in May 2026. The month is not halfway complete.

The year as a whole has been brutal. More than $6 billion has been drained from crypto protocols, individual users, and blockchain infrastructure since January — through North Korean state-sponsored operations on Drift Protocol and KelpDAO, bridge exploits, governance attacks, private key compromises, and now a returning attacker targeting market maker infrastructure with a new vulnerability.

The TrustedVolumes exploit is smaller in dollar terms than the headline hacks of April, but it represents a different category of risk — the exploitation of invisible infrastructure that retail users never interact with directly but depend on every time they execute a swap. If the resolver layer of DEX aggregators becomes a consistent attack surface, the implications for the security of on-chain trading more broadly are significant.

Blockaid continues to monitor the situation. 1inch has stated it is actively assisting relevant security parties. TrustedVolumes has not yet published a technical post-mortem, and the investigation is ongoing.