A TrustedVolumes attacker has returned 1,122 ETH price about $2 million whereas conserving one other $2 million as a self-declared bounty.
Abstract
- The TrustedVolumes attacker returned 1,122 ETH price about $2 million.
- The exploiter retained one other $2 million as a self-declared bounty.
- Blockaid traced the Could assault to TrustedVolumes’ customized RFQ swap proxy.
In keeping with Com Feed monitoring, the Ethereum switch represents a partial restoration from the Could exploit, which initially drained about $5.87 million from a contract managed by the liquidity supplier. The attacker has retained roughly the identical greenback quantity because the returned funds, labeling it a bounty.
On the time of writing, TrustedVolumes had not formally confirmed that it had accepted the attacker’s bounty phrases.
Partial reimbursement recovers solely a part of the stolen funds
TrustedVolumes disclosed in Could that the whole loss had reached roughly $6.7 million, exceeding the preliminary estimate reported by safety researchers. The corporate mentioned at the moment the stolen belongings have been held throughout three addresses containing roughly $3 million, $3 million, and $700,000.
In search of to recuperate the belongings, TrustedVolumes supplied to debate a vulnerability bounty and what it known as a mutually acceptable resolution. The liquidity supplier additionally invited the attacker to start constructive communication, although its assertion didn’t specify a proposed bounty charge.
Earlier than the stolen tokens have been consolidated, Blockaid recognized 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1.27 million USDC among the many drained belongings. PeckShield later reported that the attacker exchanged the tokens and gathered the proceeds into about 2,513 ETH.
The returned 1,122 ETH was price about $2 million on the time of writing, whereas Com Feed valued the attacker’s retained bounty at an identical quantity. The mixed greenback worth is decrease than the unique loss as a result of ETH has fallen for the reason that Could exploit, when the stolen belongings have been transformed into the cryptocurrency.
Customized TrustedVolumes proxy induced the safety breach
As beforehand reported by crypto.information, Blockaid traced the Could 7 assault to a customized request-for-quote swap proxy operated by TrustedVolumes. In keeping with the safety agency, the attacker focused the corporate’s Ethereum resolver setup quite than an everyday 1inch swap route.
TrustedVolumes used the RFQ system to cite token costs and full signed trades from its stock. Verichains discovered {that a} public operate lacked entry controls, permitting the attacker to register an handle as an authorized order signer and create transactions that appeared legitimate to the proxy.
Throughout the identical transaction, the attacker directed the proxy to tug WETH, WBTC, USDT, and USDC from the TrustedVolumes stock vault. Verichains additionally recognized a mismatch between the handle checked for authorization and the handle supplying the tokens, whereas defective replay safety did not document orders appropriately.
Though the affected market maker equipped liquidity by 1inch, the assault didn’t compromise 1inch’s core aggregation contracts or customary consumer routes, in response to 1inch’s account of the incident. Blockaid linked the pockets to the March 2025 Fusion V1 exploit however reported that the Could assault used a special flaw tied to TrustedVolumes’ customized proxy.


