Blockaid says an ongoing exploit is draining funds from TrustedVolumes, a market maker and resolver that supplies liquidity to 1inch, with losses now close to 6 million dollars. The attack is still active on Ethereum, and security teams are warning traders and bots to route around the affected contracts.
Blockaid Flags Live Attack on TrustedVolumes
Web3 security firm Blockaid reported that its exploit detection system picked up suspicious activity involving TrustedVolumes, which routes trades for 1inch and other aggregators. The firm says the victim is a TrustedVolumes-controlled RFQ swap proxy contract at address 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756 on Ethereum. In a post on X, Blockaid described the incident as an “on‑going exploit” and said more technical details will follow once the path is fully mapped.
According to Blockaid’s live monitoring, the attacker has siphoned about 5.87 million dollars so far. Stolen assets include roughly 1,291 WETH, 206,282 USDT, 16.9 WBTC, and 1.27 million USDC taken from the resolver contract. The firm is tracking the attacker’s addresses on-chain and has linked the activity to an operator it has seen before.
Same Operator as 2025 1inch Fusion Exploit
Blockaid believes the attacker is the same operator behind the 1inch Fusion v1 incident that hit several market makers in March 2025. In that earlier case, an attacker abused a legacy settlement path to trick bots into sending liquidity directly to a malicious address instead of using it for fills. 1inch and its partners later patched that bug and moved market makers onto updated contracts.
This time, Blockaid says the weakness is different and sits in a custom RFQ trading agent contract controlled by TrustedVolumes rather than in core 1inch contracts. The exploit targets how that proxy handles swap calls and approvals, allowing the attacker to drain assets sitting under its control. Because TrustedVolumes owns the contract, the blast radius centers on the liquidity they manage, not on user wallets connecting directly to 1inch.
DeFi aggregator 1inch has already issued a statement distancing its infrastructure from the bug. The team says none of its smart contracts, backend systems, or user-held funds have been touched in the incident. It also notes that TrustedVolumes is an independent liquidity provider that serves multiple platforms, not a service exclusive to 1inch.
1inch added that it hopes early headlines do not confuse users into thinking the exploit hit its protocol.
READ MORE: Ethereum Price Prediction: Can Rising ETH ETF Inflows Push Prices Higher?
