Top Highlights
- TrustedVolumes lost $5.9M to a hacker exploiting a flaw in its custom trade system, not the 1inch protocol itself.
- The attacker used a vulnerability in the RFQ proxy, registering as an authorized signer and abusing authorization checks to drain funds.
- The hack involved executing multiple drain transactions, converting stolen assets, and sending funds to the attacker’s wallet.
- Both 1inch and Blockaid clarified no user funds or the protocol were compromised, emphasizing the attack targeted TrustedVolumes independently.
Hacker Drains $5.9 Million from Ethereum Liquidity Provider TrustedVolumes
What Happened
On Thursday, a hacker stole about $5.9 million from TrustedVolumes, a liquidity provider on the Ethereum blockchain. The attacker exploited a weakness in TrustedVolumes’ trading system. The stolen funds include ETH, WBTC, and stablecoins USDT and USDC. Blockchain security firm Blockaid detected the breach while it was happening. The hacker used a flaw in a system called RFQ, which handles trade settlements. A key vulnerability involved a function that let anyone register themselves as an authorized trader. Normally, this feature would be safe, but an error caused the system to check permissions against the wrong address. As a result, the attacker manipulated transactions to drain funds. According to a technical report, they registered as an authorized signer then repeatedly moved assets from the platform’s contracts. The hacker converted some of the stolen WETH into ETH and sent it all to their own wallet. TrustedVolumes confirmed the attack and shared three wallet addresses holding the stolen coins. They also asked the hacker to contact them about a bug bounty and a resolution.
Market Response and Context
Because TrustedVolumes acts as a market maker on the 1inch platform, early reports suggested a possible link to 1inch itself. However, both 1inch and a cybersecurity firm clarified that their protocols were not compromised. TrustedVolumes operates independently across different platforms, not solely on 1inch. This attack comes during a tough period for decentralized finance, or DeFi. Last month, hackers stole more than $650 million across different projects. Notable examples include KelpDAO and Drift Protocol, which lost hundreds of millions of dollars. While $5.9 million sounds large, it is smaller compared to those recent breaches. The attack shows advanced techniques, such as deploying helper contracts and exploiting permission flaws, which go beyond simple bugs. This situation highlights ongoing challenges in securing DeFi systems and the importance of strengthening smart contract defenses.
Discover More Technology Insights
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Explore past and present digital transformations on the Internet Archive.
Disclaimer
This content is for informational and entertainment purposes only and does not constitute financial or investment advice. Cryptocurrency is highly speculative and carries significant risk, including the potential loss of your entire investment. This information may be outdated or incomplete. Do not make financial decisions based on this information. Consult a licensed financial advisor before investing. This site does not offer, sell, or advise on cryptocurrency, securities or other regulated financial products in compliance with SEC and applicable laws. Please do your own research and seek professional advise.
CryptoV1
