At some point between late April and early May 2026, a known hacker came back home. TrustedVolumes — one of the liquidity resolvers operating within the 1inch ecosystem — lost approximately $6.7 million in WETH, WBTC, USDT and USDC after the attacker found a banal flaw in the custom RFQ (request for quote) contract used by the protocol. The public function that managed the whitelist of "authorized order signers" had no permission modifier. Any address could register itself as an authorized signer and, from there, forge valid orders.
The detail that transforms the case into something more than another line item in DeFi's painful accounting in 2026 is the identity of the operator. Blockaid, which monitored the exploit in real time, confirmed: it is the same attacker who drained $5 million from the 1inch Fusion V1 Settlement contract in March 2025. Same primary victim, same operator, different vector. Fourteen months after the first appearance, the hacker returned — and this time TrustedVolumes chose not to call the police, not to request a freeze from Arbitrum, not to call for a bailout. It offered to negotiate a white-hat bounty. The hacker accepted. Most of the funds were returned.
The April historical record and what happens when it ends
To understand why the TrustedVolumes case became a milestone and not just another line in the spreadsheet, you need to frame the previous month. April 2026 was the worst month for crypto hacks in measured history by number of incidents — more than 40 attacks, totaling approximately $647 million, according to PeckShield. The jump represents +1,140% month-over-month compared to March, which had recorded $52.2 million. Two incidents dominated the month: Drift Protocol ($285 million, April 1, attributed to North Korean UNC4736) and KelpDAO ($293 million, April 18). Together, they accounted for 89% of April's losses.
The aggregate context is even more serious. Groups linked to North Korea account for 76% of all crypto hack losses in 2026 through April. In January, DeFi's Black April consolidated the Pyongyang pattern as a structural risk provider. The systemic consequence of the KelpDAO exploit was immediate: in the following 48 hours, more than $8.4 billion exited Aave and aggregate DeFi TVL fell by more than $13 billion.
It is against this backdrop that TrustedVolumes happens. It is not the largest hack of 2026 — it is two orders of magnitude below Kelp. But it is the first major exploit post-bailout, after the sector demonstrated coordinated response capacity. And it inaugurates a new policy.
The technical anatomy: 13 lines, RFQ proxy, signature bypass
The vulnerable contract was an RFQ swap proxy controlled by TrustedVolumes — a custom layer that it operated on top of the standard 1inch route to do quoting and direct settlement with market makers. This proxy contained a public function responsible for managing the whitelist of addresses authorized to sign orders on behalf of the resolver. The registration function had no permission modifier: neither onlyOwner, nor onlyRole, nor any verification. Any external address could call itself an authorized signer.
The attacker exploited this in the most straightforward way possible. It registered itself as an authorized signer, generated valid signatures for arbitrary swap orders, and drained the assets that were under the proxy's control. The first instance of the exploit involved 2,513 ETH, distributed by the attacker across three addresses before trade-out via DEX.
1inch was categorical in severing the brand connection: its own infrastructure, router contracts, standard liquidity sources and user funds on the platform were not affected. TrustedVolumes operates independently as a liquidity provider — it is a client, not a component, of 1inch. But the 1inch name entered all the headlines because TrustedVolumes is part of the resolver network that serves the router. This will persist as an image problem even with the correct technical disconnection.
The recidivist hacker: two targets, same victim, different vectors
Blockaid attributed the exploit to the same operator that executed the attack on 1inch Fusion V1 Settlement in March 2025. Interestingly, in both cases TrustedVolumes was the primary victim — in 2025 it lost $5 million; in 2026, $6.7 million. Total accumulated by the same attacker attacking the same victim: $11.7 million.
The technical point is that the two exploits used radically different vectors. The 2025 attack against Fusion V1 involved low-level EVM memory manipulation within the Settlement contract — sophisticated exploitation of virtual machine invariants. The 2026 attack against the RFQ proxy is, comparatively, a trivial misconfiguration: an absent permission modifier. The same operator who did advanced EVM engineering also identified and exploited the most elementary access control flaw.
The reading is: the attacker maintains continuous surveillance of TrustedVolumes specifically. It is not an opportunistic chronic bug hunter — it is a technical stalker of a known victim. For the defense, the implication is uncomfortable. Identifying recurrent attackers does not prevent them from attacking again if the victim's surface continues to expose errors — and in this case the same development team implemented an RFQ proxy without the minimal permission control.
The new policy: paying the hacker as a mitigation mechanism
TrustedVolumes' reaction was the editorially most interesting part. Instead of following the two institutional trajectories that DeFi had already consolidated in April, the company chose a third way.
- Phase 1 — On-chain freeze. On April 24, after the KelpDAO hack, Arbitrum One used the sequencer to freeze $71 million in attacker assets. Direct cost: zero. Reputational cost: the public admission that "decentralization" has a pause button.
- Phase 2 — Collective bailout. Five days later, Aave organized the DeFi United coalition and raised $300 million in commitments from Consensys (30 thousand ETH), Lido (2,500 stETH), EtherFi (5,000 ETH), Mantle (30 thousand ETH credit line) and Stani Kulechov himself (5 thousand ETH personal). Direct cost: $300 million dispersed across the industry. Incentive cost: large protocol became "too big to fail" crypto.
- Phase 3 — Direct negotiation with attacker. TrustedVolumes initiated public on-chain negotiation with the hacker via Ethereum transaction messages, offered a white-hat bounty deal, and the attacker accepted. Most of the funds were returned in exchange for a pre-agreed "commission". Direct cost: the portion kept by the attacker (undisclosed). Incentive cost: the sector signaled that hack-for-bounty is an acceptable outcome.
Each of the three phases has distinct trade-offs. Freeze is free but exposes the fragility of decentralization. Bailout is expensive but maintains the institutional narrative. Negotiation is discreet but creates a perverse incentive: if an experienced attacker knows they can be paid to return funds, their next decision between "extracting maximum value via mixer" and "negotiating bounty" becomes dependent solely on which outcome offers more expected return. In some scenarios, attacking to negotiate starts to dominate attacking to escape.
The structural dilemma: what this teaches the next attackers
The honest argument in favor of negotiation is practical. TrustedVolumes is a medium-sized liquidity resolver, without the capacity to organize DeFi-United-style bailouts, without institutional weight to force Arbitrum or Optimism to freeze funds. For a company in this category, recovering 70-90% of assets via bounty is mathematically superior to losing everything. The agreement is incentive-compatible locally.
The problem is structural. If each exploit ends in negotiation, the rational attacker reconfigures the utility function. Before, the option was "drain and flee vs get caught". Now, the option is "drain and flee vs drain and negotiate bounty". In both cases the attacker takes value. The difference is that negotiation replaces the risk of capture with a compulsory annuity paid by victims — and the victim who refuses to negotiate starts to look "irrational" to the market.
In other words: what was an ad hoc exception (Poly Network 2021, Wormhole etc.) is becoming a category. And category matters, because attackers operate in portfolio. The next decision by an operator like the 1inch/TrustedVolumes one won't be made looking only at the individual case — it will consider the statistical history of how much exploits have yielded in negotiation versus in mixer. If the industry average converges to 30-60% return via bounty, attacking and negotiating becomes almost guaranteed ROI for anyone with the technical capacity.
That is the byproduct that nobody debates out loud: while North Korean groups account for 76% of structural losses, "negotiable" Western attackers form an entire layer of risk that operates under a different objective function. Some want money laundered in DPRK; others want bounty paid in clean ETH. Defending against both requires opposite postures.
The context that nobody is going to say out loud: TrustedVolumes 2.0 is not a solution, it is a symptom
The critical point of the TrustedVolumes case is not the hacker, not the permission flaw, not the negotiation. It is the fact that a liquidity resolver that had been attacked in March 2025, by the same operator, returned to market fourteen months later with a new custom contract — and that new contract contained elementary access control flaws. Security engineering did not scale along with the product.
This is a typical mid-tier DeFi problem: protocols that survive the first exploit without institutionalizing security. Spot audit of features, without a continuous bounty program, without fuzz tests against known vectors from one's own history. In January 2025 the universal recommendation would have been "hire Halborn, Trail of Bits, OpenZeppelin for full RFQ proxy review". The question the May 2026 case raises is: why wasn't that done?
The likely answer is the same one haunting the ecosystem since the Vercel hack: the cost of continuous auditing is high, the cost of exploit is dispersed among external victims (liquidity users), and the individual protocol only feels the cost when the exploit happens. The equilibrium incentivizes underinvestment in security until the point of catastrophe — and the point of catastrophe can now be absorbed by negotiated bounty instead of by end of operation.
The ON3X perspective
Three readings for anyone operating or investing in DeFi in this new regime:
- Post-Kelp DeFi has three public policies, and that is structural. Freeze (Arbitrum), bailout (DeFi United) and negotiation (TrustedVolumes) are not mutually exclusive alternative responses — they are layers that coexist and operate at different scales. Top-tier protocols trigger bailout. Protocols with cooperative L2 infra trigger freeze. Mid-tier protocols trigger negotiation. The choice is no longer ideological ("decentralization yes or no"); it is operational ("which mechanism applies to my size"). The sector is admitting stratification.
- Recidivist hacker is an underestimated risk pattern. The 1inch/TrustedVolumes attacker is not the only case. April's cross-chain exploits showed that architectural vectors repeat in similar victims. For investors in mid-tier protocol tokens, the minimum checklist now includes the history of exploits — not just of the current contract, but of predecessor contracts and associated operators. An experienced attacker who knows the victim's stack is a recurrent cost, not a tail event.
- Post-exploit bounty policy needs to be regulated before it becomes an incentive. Today, each negotiation case is an isolated decision by the victim company. But the aggregate effect is distorting the attacker's objective function. If the industry does not consolidate clear rules (maximum ranges, timeframe, mandatory disclosure, public list of operators who received bounty), the mechanism becomes an annuity. Perhaps the next institutional step for DeFi is exactly that: a cross-protocol framework that standardizes when to negotiate and how much to concede, with sanctions for protocols that abuse the mechanism. Without it, "constructive talks" will become mechanics of continuous extraction.
Frequently Asked Questions
What happened with TrustedVolumes in May 2026?
TrustedVolumes, a liquidity resolver operating within the 1inch ecosystem, was exploited for approximately $6.7 million. The vulnerability was in a custom RFQ (request for quote) proxy contract — the public function managing the whitelist of authorized signers had no permission modifier, so any address could register as a signer and forge valid orders. The attacker drained WETH, WBTC, USDT and USDC equivalent to 2,513 ETH, distributed it across three wallets, and initiated on-chain negotiation with the victim.
Why was 1inch not affected?
TrustedVolumes operates independently as a liquidity provider — it uses the 1inch network as a resolver, but maintains separate infrastructure, its own contracts and separate custody. The exploit was exclusively in TrustedVolumes' custom RFQ contract; no 1inch router contract, no standard platform liquidity source, no 1inch user funds were affected. 1inch issued an official statement severing the brand from the incident.
Who is the attacker and why is he "recidivist"?
Security firm Blockaid attributed the May 2026 exploit to the same operator who drained $5 million from the 1inch Fusion V1 Settlement contract in March 2025. In both cases, TrustedVolumes was the primary victim. The two attacks used different technical vectors (EVM memory manipulation in 2025; access control flaw in 2026), but the on-chain evidence of coordination between the addresses used in both events is what supports the attribution. The attacker accumulated $11.7 million from the same victim in fourteen months.
Why did TrustedVolumes negotiate with the hacker instead of requesting a freeze or bailout?
TrustedVolumes is a medium-sized liquidity resolver, without institutional weight to trigger DeFi-United-style bailout (as happened with Aave after Kelp DAO) and without a cooperative L2 to trigger on-chain freeze (as happened with Arbitrum). For protocols in this category, negotiating a white-hat bounty is mathematically superior to losing everything: most funds are typically returned in exchange for a "commission" to the attacker. The agreement is incentive-compatible for the individual victim, but creates market incentive for other attackers to prefer the negotiation path over fleeing via mixer.
Is this model of "negotiating bounty with hacker" new?
It is not absolutely new — famous cases like Poly Network (2021) and Wormhole had similar outcomes. What changes in 2026 is the frequency. After the KelpDAO hack in April, the sector consolidated three distinct public policies for responding to exploits: on-chain freeze, collective bailout and direct negotiation. TrustedVolumes formally inaugurates the third way as a standardized mechanism, in parallel with the other two. The incentive risk is that negotiation becomes a compulsory annuity paid by victims to recurrent operators.
What does April 2026 represent in crypto hacks?
April 2026 was the worst month in measured crypto history by number of incidents (more than 40 attacks) and the second worst in total value ($647 million), losing only to February 2025 (Bybit). The jump represented +1,140% month-over-month compared to March. Two incidents dominated: Drift Protocol ($285 million, attributed to North Korean UNC4736) and KelpDAO ($293 million), totaling 89% of losses. Groups linked to North Korea account for 76% of losses throughout all of 2026 through April.