TrustedVolumes $6.7M Exploit: How a Signature Validation Flaw Drained a 1inch Market Maker
Discover how the $6.7M TrustedVolumes exploit drained a 1inch market maker through a signature validation flaw. Learn why resolvers are prime targets and how DEX users can reduce routing risks.
Key Takeaways
A bug in how signatures were checked let attackers pretend their fake orders were real, allowing them to drain about $6.7 million from a 1inch market maker called TrustedVolumes.
Market makers (also known as resolvers) sit close to where trades actually get filled, which makes them very attractive targets for hackers.
As an everyday DEX user, you cannot fix backend bugs, but you can protect yourself by reviewing token approvals, sticking to trusted websites, and keeping smaller balances in your active wallet.
Introduction
The recent $6.7 million TrustedVolumes hack is a useful wake-up call for anyone trading on DeFi. It shows that risks do not just live inside the apps you can see and click on. Sometimes the danger hides deeper, in the behind-the-scenes systems that quietly fill your trades.
In this case, the problem was a signature validation flaw. The affected party was a 1inch market maker, which in the 1inch Fusion system is often called a resolver. To make things even more interesting, the same attacker group was reportedly behind another 1inch Fusion V1 exploit earlier in 2026. That repeat pattern made this incident stand out.
If you are still learning DeFi, this story matters for two reasons. First, it shows how the small print of crypto security (like how a system checks signatures) can go badly wrong without you noticing. Second, it reminds you that fancy trade routing comes with hidden trust assumptions. The smoother the user experience, the more layers of infrastructure may sit underneath.
Let us break it down step by step.
Timeline of the TrustedVolumes Exploit
The incident was reported in May 2026 and involved TrustedVolumes, a market maker connected to the 1inch ecosystem. Here is what happened in plain language.
Stage | What Happened | Why It Mattered |
Early warning | Strange trading activity was spotted in the system. | It hinted at fake orders rather than normal market-making losses. |
Exploit identified | Investigators traced the issue to a signature validation bug that accepted bad orders as real. | It confirmed the problem was about permissions, not just trading slippage. |
Funds drained | The attacker pulled value out of the market maker's holdings. | It showed how behind-the-scenes systems can be a direct target. |
Attacker linked to past incident | Reports tied the attacker to the earlier 1inch Fusion V1 exploit. | It suggested the same playbook was being reused. |
Lessons learned phase | The community focused on fixing signature logic and tightening security. | The event turned into a broader warning for DeFi developers. |
Even without every technical detail being public, the pattern is clear. When a system mistakenly accepts a fake or unauthorised order, attackers can quietly walk away with funds, looking just like normal traders to the code.
What Is a 1inch Resolver, and Why Should You Care?
To understand the hack, you need to understand who a resolver is in the 1inch Fusion model.
Think of it this way. When you place a swap on 1inch, you are basically saying "I want to trade Token A for Token B at a good price." Instead of you running around checking every DEX yourself, a resolver does that work for you. A resolver is a specialised player that finds liquidity, fills your order, and settles the trade.
Here is the basic flow.
Player | Role |
You (the user) | You submit a swap request or order. |
Aggregator logic | It figures out the best route for your trade. |
Resolver or market maker | It actually fills your order using the liquidity it has access to. |
Liquidity venues | These are the pools or markets that supply the tokens you want. |
This system can give you better prices and smoother trades. But it also means a few important players sit between you and your final swap. If something goes wrong with one of those players, the impact can be big.
How Forged Orders Slipped Past the Bouncer
The heart of the exploit was a signature validation problem. Let us unpack what that means in everyday language.
In crypto, a signature is like a digital fingerprint. It proves that a specific person or system approved a specific action. When a smart contract receives an order, it should check the signature carefully and only accept the order if the fingerprint is real.
If that check is sloppy, fake signatures can sneak in. The contract then treats fake orders as if they were genuine.
Here is roughly how it played out:
The resolver was supposed to only accept properly approved orders.
The attacker found a way to craft fake orders that still passed the signature check.
Because the code believed the orders were legitimate, it processed them as normal.
This let the attacker trigger trades they should never have been allowed to make.
Funds were drained from the market maker's inventory.
This is what people mean by an "authorization bypass." The attacker did not steal a password. They tricked the system into thinking they had permission all along.
Why Signature Checks Are So Tricky
On the surface, signatures sound simple. Either a message is signed or it is not. In practice, there are many small ways the check can go wrong.
Type of Risk | What It Means | Why It Matters |
Wrong signer detected | The code identifies the wrong person as the signer. | Unauthorised orders may slip through. |
Weak domain separation | A signature valid for one contract gets reused in another. | Signatures get misused across different systems. |
Replay attacks | Old, valid signatures get used again. | Attackers can repeat actions they should not be able to. |
Incomplete binding | The signature does not lock in all the important details of the order. | Order data can be tampered with after signing. |
Over-trusting assumptions | A contract assumes another part of the system already did the safety checks. | Hidden risks build up across layers. |
Because signatures sit right next to where real money moves, even tiny bugs here can cause huge losses.
Why Hackers Love Targeting Resolvers
Resolvers and market makers are juicy targets for three big reasons.
Reason | Plain Explanation |
Big balances | Market makers hold meaningful amounts of crypto to fill orders. One resolver can have more value than thousands of regular wallets combined. |
Complex code | More features and more routing logic means more places where bugs can hide. |
Less public scrutiny | Most traders never look at the execution layer. They trust the website, not the back end. |
Reusable bugs | If one flaw works once, similar systems may have the same weakness. That is why the same attacker group can strike twice. |
This is why DEX aggregator risk is often indirect. You may trust the brand name on the front page, but the safety of your trade depends on systems you cannot see.
What You Can and Cannot Do as a DEX User
This kind of hack is uncomfortable because it shows that some of the most important risks are out of your hands. But you are not completely powerless. Let us split it into two buckets.
What You Cannot Really Control
Honestly, as an everyday user you cannot:
Inspect a market maker's internal setup in real time.
Verify every backend assumption behind an aggregator's route.
Stop a professional market maker from running buggy code.
Spot every exploit before the news breaks.
It is important to accept this limit. No amount of caution gives you full protection against backend bugs.
What You Can Do
You still have plenty of control over your own wallet habits and where you trade. Here are some practical steps.
Action | Why It Helps |
Review your token approvals often | If a connected app turns out to be unsafe, you have less exposure. |
Stick to official websites and trusted interfaces | This cuts down phishing and fake-site risk. |
Keep large balances out of your active hot wallet | If something bad happens, your damage is limited. |
Watch how a project communicates after an incident | Honest, quick updates are a good trust signal. |
Understand the trade model you are using | Convenience does not mean safety. |
For approval clean-up, look into tools like Revoke.cash. If you are holding crypto for the long term, consider moving it to a hardware wallet so your savings are kept separate from your daily trading wallet.
The Bigger Lesson About DEX Routing
This story is bigger than one resolver. It shines a light on a basic trade-off in DeFi.
DEX aggregators give you great prices by routing your trades through many venues. That is genuinely useful. But more routing also means:
More trust assumptions
More authorisation logic
More moving parts behind the scenes
More reliance on specialist operators you cannot see
Here is the trade-off in a table.
Benefit You Get | Hidden Risk You Take On |
Better prices through smart routing | More complex execution infrastructure |
Access to deeper liquidity | Higher reliance on backend players |
Smoother, easier user experience | Less visibility into the trust layers |
Advanced order settlement features | A bigger surface area for permission bugs |
This does not mean you should run away from aggregators. It just means you should be aware that a great user experience does not automatically mean a low-risk system underneath.
Lessons for Protocols and Developers
While most of the takeaways above are for users, the deepest lessons are for the teams that build and operate these systems.
Treat Signature Logic Like Critical Code
Checking signatures is just as important as moving funds. It deserves the same careful audits and reviews.
Make Replay Protection Obvious
If a signed message can be reused or accepted in the wrong context, attackers will find a way to exploit that.
Trust Less, Verify More
A contract should never assume another part of the system already did the safety checks. Each layer should verify what it cares about.
Lock Signatures to Their Exact Purpose
Every signature should clearly say which chain, contract, order, and context it belongs to. Otherwise, it can be misused.
Learn From Repeat Patterns
If the same attacker group hits a similar flaw twice, it is not a local issue. The whole ecosystem should review for that pattern.
Final Thoughts
The TrustedVolumes exploit is a strong reminder that DeFi security failures often happen far from the buttons you click. A small signature validation bug can become a million-dollar disaster when it sits inside a system that controls large pools of money.
For you, the user, the lesson is not to panic. It is to build better mental models. When you trade through DEX aggregators, know that your experience depends on hidden infrastructure, and hidden infrastructure can break.
For protocol builders, the message is stricter. Authorisation logic must be treated as high-risk code. Signature validation, replay protection, and serious audits are not optional extras. They are the foundation that everything else stands on.
FAQ
What was the TrustedVolumes exploit?
It was a May 2026 incident where about $6.7 million was drained from a 1inch-related market maker. The cause was a bug in how signatures were checked, which let attackers bypass permissions.
What is a 1inch resolver?
A resolver is a special player in the 1inch Fusion system. It fills and settles user orders by tapping into available liquidity and choosing the best route.
What is a signature validation flaw?
It is a coding mistake that makes a system accept fake, tampered, or reused signatures as if they were real. This can give attackers the ability to perform actions they should not be allowed to do.
Could regular users have prevented this exploit?
Not directly. Bugs at the resolver level are mostly out of user hands. But users can still lower their overall risk through good wallet habits and careful platform choices.
Why do hackers focus on resolvers?
Because resolvers handle large balances, run complex code, and sit close to where real trades are settled. That combination makes them very tempting targets.
What should protocol teams learn from this?
They should strengthen signature checks, add replay protection, reduce blind trust between system layers, and treat permission code as one of the most sensitive parts of the codebase.
Disclaimer
This content is for educational and informational purposes only and is not financial advice. Nothing here is a recommendation to buy or sell any asset or use any platform. Do your own research and manage your risk.
Read more
Need deeper training?
Join our structured modules with live examples and expert checklists for effective implementation.
JOIN THE ACADEMY
Ad
Get a $100K funded account
See current qualification terms and payout conditions.
Sponsored
Share Transmission
Broadcast this signal to your network
