Decentralized finance suffered another major security blow on Wednesday when TrustedVolumes – a liquidity provider closely tied to the 1inch aggregator’s infrastructure – was drained of approximately $5.87 million in a sophisticated exploit. The attack marks the fifth significant DeFi hack this month alone, putting the industry’s security record in sharp focus just as top executives gathered in Miami to discuss crypto’s mainstream future.
1inch was quick to clarify that its own protocol wasn’t directly compromised. The incident has renewed scrutiny of how deeply interconnected DeFi’s liquidity system has become – and how a weakness in one component can cascade rapidly through an entire network.
What Happened: The Attack Breakdown
According to blockchain security firm Blockaid, which detected the exploit in real time via its live monitoring systems, the attacker exploited a vulnerability in TrustedVolumes’ smart contract infrastructure to siphon funds without requiring users to approve any new transactions.
That last detail is what makes this attack particularly alarming. Most DeFi exploits require victims to have signed a malicious transaction at some point, giving security tools a window to warn users. In this case, existing approvals – granted by users when they first interacted with TrustedVolumes – were enough for the attacker to move funds.
“What made the exploit especially dangerous is that users didn’t need to approve any new transaction for the attack to happen,” Blockaid noted in its technical summary.
The attacker drained assets progressively, with reports tracking the haul growing from an initial $3 million to the final confirmed total of approximately $5.87 million in Ethereum-based assets.
The Serial Attacker Angle
This wasn’t an isolated incident involving an anonymous opportunist. Blockchain investigators have linked the TrustedVolumes attack to the same wallet that executed a $5 million exploit against 1inch’s Fusion V1 smart contracts back in March 2026. That earlier attack specifically targeted old, unrevoked resolver contracts – a different vector but the same pattern of exploiting stale contract permissions.
The recurrence of the same attacker – apparently undeterred by the March incident – raises serious questions about whether sufficient action was taken after the first breach to identify and neutralize the threat actor’s approach.
“This is the same attacker,” multiple on-chain analysts confirmed across social media Wednesday, citing wallet address links. “They found another entry point after the first one was patched.”
1inch Responds: “Not Our Protocol”
The 1inch development team moved quickly to distance the protocol from the attack. In a post on X, the team clarified that TrustedVolumes is an independent liquidity provider and market maker on top of 1inch infrastructure – it isn’t a core part of the 1inch protocol itself.
“The 1inch protocol hasn’t been exploited,” the team stated. “TrustedVolumes is a third-party liquidity provider. Users interacting solely through 1inch’s own smart contracts weren’t affected.”
That distinction, while technically accurate, provides little comfort to users who had deposited assets with TrustedVolumes expecting the backing of 1inch’s reputation and security standards. DeFi’s modular architecture means that partner and integrated protocols can create attack surfaces that users may not fully understand.
DeFi’s Brutal May: Five Exploits in Eight Days
The TrustedVolumes hack is the fifth DeFi exploit to hit the industry in the first eight days of May 2026, according to data tracked by crypto security researchers. While the individual amounts vary – from smaller protocol bugs netting low six figures to multi-million-dollar heists – the concentration of incidents in a single month is striking.
DeFi hack data from DefiLlama shows that cumulative losses from smart contract exploits have accelerated significantly in 2026, partly due to the expansion of new protocols launching on multiple chains simultaneously, each with its own audit requirements and upgrade cycles.
Security researchers point to several common threads in this year’s exploit wave:
- Stale approval exploitation: Attackers are increasingly targeting old, unrevoked permissions granted by users years ago – permissions that still allow significant asset movements.
- Cross-chain complexity: Protocols operating across multiple blockchains have more potential attack surfaces.
- Speed of deployment: Competitive pressure to ship fast means some protocols are cutting corners on complete audits.
What Users Should Do Right Now
Security experts are urging DeFi users to take immediate steps to reduce their exposure:
1. Revoke un token approvals. Tools like Revoke.cash, Etherscan’s Token Approvals page, and Rabby Wallet’s approval manager make this straightforward. 2. Audit your connected wallets. Any wallet that interacted with TrustedVolumes or 1inch Fusion V1 should be considered at raised risk until further notice. 3. Move funds to cold storage if you aren’t actively using them in DeFi protocols.
“If you’ve ever interacted with TrustedVolumes, go revoke your approvals right now,” blockchain security researcher Spreek posted on X following the attack.
The Bigger Picture: Can DeFi Handle Mainstream Adoption?
The timing is awkward. At Consensus Miami 2026, executives from Bridge and Deus X Capital were declaring that “DeFi isn’t dead” and that the technology was going mainstream, powered by AI agents and corporate treasury adoption. Meanwhile, a DeFi exploit was actively draining user funds in the background.
The gap between DeFi’s ambitions and its security record remains a genuine obstacle to institutional adoption. Traditional financial institutions looking at DeFi are watching incidents like this closely. Every high-profile hack reinforces the case for regulated, custodied alternatives – precisely the product that BNY Mellon is now rolling out in Abu Dhabi.
For DeFi to truly go mainstream, the industry needs more than innovations in yield mechanics and AI integration. It needs a security record that institutional risk managers can accept. That remains a work in progress.
FAQ
Was 1inch itself hacked in this exploit? No. 1inch confirmed that its own protocol wasn’t directly compromised. TrustedVolumes is an independent third-party liquidity provider that operates alongside 1inch infrastructure. The exploit targeted TrustedVolumes’ smart contracts specifically.
How do I know if my wallet was affected? If you have ever interacted with TrustedVolumes or granted token approvals to 1inch Fusion V1 contracts, your wallet may be at risk. Use Revoke.cash or Etherscan’s Token Approval tool to check and revoke any outstanding permissions linked to these contracts.
Is this attack connected to the March 2026 1inch Fusion V1 exploit? On-chain investigators have linked both attacks to the same wallet address, suggesting the same attacker is responsible for both the March $5 million Fusion V1 exploit and the May TrustedVolumes hack.
