Ethereum’s Latest Oopsie: Hacker Swipes $5.9M in a Blink!

by

Well, butter my biscuit and call me a wizard, but it seems the Ethereum blockchain has had another one of its “oopsie-daisies.” TrustedVolumes, a liquidity provider with a name that screams “trust us, we’re totally secure,” has lost a cool $5.9 million to a hacker who probably cackled like a maniac while typing away in their dimly lit lair.

The scoundrel, no doubt wearing a cloak of invisibility (or at least a very good VPN), exploited a vulnerability in TrustedVolumes’ custom trading system. They made off with a haul that included ETH, WBTC, and enough stablecoins (USDT and USDC) to make a dragon jealous. Talk about a five-finger discount!

The Tale of Woe

According to the ever-vigilant blockchain security firm Blockaid, who caught the exploit mid-heist, the loot included 1,291 WETH, 16.9 WBTC, 206,000 USDT, and nearly 1.27 million USDC. That’s enough to buy a small country, or at least a very fancy hat.

The trickster abused a design flaw in TrustedVolumes’ Request for Quote (RFQ) proxy, a system so fancy it probably came with its own butler. GoPlus Security, ever the detective, pointed out that the attacker registered themselves as an authorized “order signer” using a function called “registerAllowedOrderSigner()”-a function as public as a town crier in the marketplace.

Here’s the kicker: the settlement function was as confused as a tourist in Ankh-Morpork. It checked authorization against one address but pulled funds from another. The attacker, no doubt grinning like a cat with a canary, used this gap to execute four drain transactions against the TrustedVolumes resolver contract. Each time, they pulled assets and sent back a single raw USDC unit-the blockchain equivalent of leaving a tip in pennies.

Security researcher Defi Nerd (a name that screams “I know what I’m doing”) detailed how the attacker converted the stolen WETH back into ETH and forwarded everything to their own wallet. Smooth as a troll’s backside, that one.

TrustedVolumes, in a move that’s either desperate or optimistic, publicly posted the wallet addresses holding the stolen funds and asked the hacker to get in touch about a “bug bounty and a mutually acceptable resolution.” Because, you know, thieves love a good negotiation.

1inch Says, “Not Our Circus, Not Our Monkeys”

Early reports tried to pin this on 1inch, since TrustedVolumes is a liquidity provider and market maker on their platform. But 1inch was quick to distance itself, stating that their protocol wasn’t compromised and no user funds were affected. “Not our fault,” they said, probably while washing their hands of the whole affair.

This all comes during a rough patch for the DeFi ecosystem, which has been leakier than a sieve lately. April saw over $650 million in crypto stolen, with KelpDAO and Drift Protocol taking the biggest hits. Compared to that, $5.9 million might seem like small potatoes, but the technical finesse of this exploit-deploying a helper contract, abusing self-service signer registration, and exploiting a maker/funding-source mismatch-puts it in a league of its own. It’s like a master thief stealing a spoon just to prove they could.

So, what’s the moral of this story? Perhaps it’s that even in the world of blockchain, where everything is supposed to be secure and transparent, there’s always a clever scoundrel waiting to exploit the system. Or maybe it’s just that you should never trust a system named “TrustedVolumes.” Either way, it’s been another exciting day in the wild, wild west of cryptocurrency.

Read More

2026-05-09 20:52