TrustedVolumes (1inch) Hack 2026 — $7M Exploit Analysis

A public function in TrustedVolumes' resolver contract let anyone become an authorized order signer, draining $6.7M in 85 rapid transactions via old approvals.

Details

Full Description

On May 7 2026, TrustedVolumes — a 1inch liquidity provider — lost $6.7M when an attacker exploited a critical access control flaw in its resolver contract. A public function allowed any address to register itself as an 'Allowed Order Signer,' bypassing the intended access controls. The attacker leveraged users' existing (old) token approvals granted to the TrustedVolumes contract to drain funds across approximately 85 rapid transactions. Stolen assets included 1,291 WETH, 16.9 WBTC, 206,282 USDT, and 1,268,771 USDC. The 1inch protocol itself was not compromised — only TrustedVolumes' own contract. Security researchers noted the same attacker was responsible for the March 2025 1inch Fusion V1 exploit, suggesting a repeat sophisticated actor. Funds were converted to approximately 2,513 ETH.

Laundering Analysis

Funds converted to approximately 2,513 ETH and dispersed across three attacker-controlled wallets on Ethereum. No mixer usage confirmed as of reporting date.

Sources

Related Hacks

Back to Browse