hodler

7 May 2026, 09:29

DeFi attacker steals $6.7M from 1inch market maker

1inch liquidity provider and market maker TrustedVolumes has fallen victim to an ongoing exploit on the Ethereum network. As of now, approximately $6.7 million has been drained in wrapped assets and stablecoins. According to security company Blockaid, the hack took place on May 7, 2026, through which a complex attack was carried out against the resolver contract of the project. The exact amount of tokens drained included WETH, USDT, WBTC, and USDC. What happened in the TrustedVolumes exploit on-chain? According to Blockaid’s detection systems, the attack hit TrustedVolumes’ resolver contract at address 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31. The exploiter wallet 0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100 executed the primary transaction. As earlier stated by Blockaid and confirmed on Etherscan, the $5.87 million in drained tokens consisted of 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC. As of now, TrustedVolumes has confirmed the hack, which now stands at the north of $6.7M from the earlier reported $5.87M. The entity is considering a bug bounty. 🚨 We were recently exploited. The addresses currently holding the stolen funds are: [ https://t.co/Uffg1StIhA ]( https://t.co/Uffg1StIhA ) — approx. $3M [ https://t.co/gUCDHwOOTC ]( https://t.co/gUCDHwOOTC ) — approx. $3M [ https://t.co/68Lu7Bq0MJ ] [ https://t.co/68Lu7Bq0MJ ] —… — TrustedVolumes (@trustedvolumes) May 7, 2026 PeckShieldAlert further disclosed that the hacker aggregated all drained assets into 2,513 ETH via internal swapping using a custom proxy. Trace of the hacked funds as reported by PeckShieldAlert. The vulnerability in question exploited a custom RFQ (request-for-quote) swap proxy controlled by TrustedVolumes at the address 0xeEeEEe53033F7227d488ae83a. For blockchain analysts, the connection between the two events was easy to make; it appears that the same hacker who pulled off the March 2025 hack on 1inch Fusion V1, netting them around $5 million, is behind this latest attack. Blockaid reports that the flaw leveraged in this instance is completely different from the one exploited during the previous incident, targeting the company’s unique RFQ system rather than the Fusion V1 codebase. As of now, TrustedVolumes has confirmed the hack, which now stands at the north of $6.7M from the earlier reported $5.87M. The entity is considering a bug bounty. Hackers drained approximately $8.23M from investors in May 2026 The latest breach on TrustedVolumes is the fifth major DeFi breach within just days of May 2026. Security monitoring tools have already detected five major breaches, totaling a loss exceeding $8 million. The above cases involving Ethereum, cross-chain bridges, and decentralized exchanges now show a disturbing trend: the month of April’s unprecedented $625-$635 million theft in 28-30 attacks. On May 1, Sharwa.Finance was reported to be the first victim. Oracle price manipulation in the protocol logic led the attackers to drain $32,850 from the platform. On the same day, Bisq, one of the oldest decentralized peer-to-peer exchange platforms, was attacked using the Bisq V1 client exploit, resulting in a loss of $858,000 in funds. As reported by Cryptopolitan , one of the project’s contributors, Henrik Jannsen, released a comprehensive plan for reimbursement on GitHub, highlighting the aim of providing a “fast, full reimbursement with as little friction as possible.” In the process, victims will be able to opt for compensation mainly in Bitcoin, with BSQ being the secondary option. Attacks picked up in the middle of the week. First, on May 4, a flash loan attack on the SmartCredit protocol extracted $72,000 through malicious use of the borrowing mechanism. Ekubo, SmartCredit, Sharwa.Finance and Bisq hack entries for May 2026. Source: DeFiLlama Hacks Database. Second, the liquidity-focused Ekubo protocol lost $1.4 million (17 WBTC) due to an improper access-control vulnerability in its router module on May 5. According to on-chain data, the attacker performed 85 fast transactions, funneling the pilfered funds through DeFi platforms connected via Velora before swapping some of it for USDC, DAI, and ETH. Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank

7 May 2026, 09:22

DeFi Exploit Wave Worsens With $5.87M At TrustedVolumes Hack And Increased Security Concerns

Another day, another decentralized finance (DeFi) exploit , the liquidity provider. TrustedVolumes has been targeted in a fresh attack causing losses of almost $5.87 million across some crypto-assets. The breach is part of a growing list of vulnerabilities afflicting the ecosystem, and adds to the tally as at least five DeFi exploits have been reported this month. Blockchain security firm Blockaid attributed the hack to an attacker who managed to successfully drain 1,291.16 WETH, 206,282 USDT, 16.939 WBTC and 1,268,771 USDC, all transacted on Ethereum network. When news first broke, the scale of the breach was staggering, but even more staggering is that it happened as DeFi protocols are facing increased scrutiny for their security. Blockaid's exploit detection system has identified an on-going exploit on TrustedVolumes (1inch market maker / resolver, @trustedvolumes ). Chain: Ethereum Victim contract: TrustedVolumes resolver — 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31 Exploiter:… — Blockaid (@blockaid_) May 7, 2026 The attack is said to still be ongoing, which has created an urgency within security teams and the crypto community at large to stop any further losses. As money continues to change hands, investigators have begun tracking on-chain movements in real time. Attacker Linked To Previous 1inch Fusion Hack In a troubling turn of events, Blockaid has linked the exploit of TrustedVolumes to the same actor that perpetrated the 1inch Fusion V1 March 2025 Attack. The connection suggests a pattern of serial attacks and raises tantalising questions about how established threat actors continue to exploit vulnerabilities across multiple DeFi underbelly. This attacker’s return highlights an industry-wide systemic error of insufficient deterrence and improper coordination of defense strategies between protocols. The attacker had previously used them for attacks but has learned from mistakes and now specialised in conducting operations against new targets, using these natural weaknesses of liquidity infrastructures. This is not a pattern that is rare to come by in DeFi. After identifying exploitable logic or systemic defects, an attacker often can improve their techniques and come back with more advanced methods. That’s the path that breaches like TrustedVolumes tend to follow, which is why it’s important to think about how to build a proactive security framework instead of a reactive one. 1inch Clarifies No Direct Impact On Protocol Or Users The protocol issued an unambiguous notice in the wake of speculation regarding the exploit’s connection to 1inch. Its core systems, underpinning infrastructure and users’ funds are reported to be unaffected, said 1inch. We are aware of misleading reports relating to an exploit involving TrustedVolumes. We can confirm that neither 1inch nor any of the 1inch protocols are involved. There is no impact on 1inch systems, infrastructure or user funds. TrustedVolumes operate independently as a… — 1inch (@1inch) May 7, 2026 This arises from TrustedVolumes providing liquidity, being the protocol that interfaces with 1inch and others. Still, 1inch stressed that TrustedVolumes is a standalone dapp and not exclusive to its platform. This distinction is crucial. Interconnectedness in DeFi means that third-part liquidity providers often deal with several platforms, forming an overlap of relations which leads to lapses in tracing security breaches. Although 1inch’s infrastructure is still unaffected by this incident, the exploitation has shown that reading channels emanating directly from adjacent entities can be diverted and subsequently result in market distortion and user distrust. The 1inch token continues to trade at normal conditions with no significant impact on the price or volume, currently trading at $0.098. Multifaceted Drain Sheds Light On The Complexity Of Modern Attacks This breakdown of stolen assets expands on the increasing sophistication of DeFi exploits The attacker targets four different tokens, WETH, USDT, WBTC, and USDC, which showcases an advanced understanding of liquidity flows and the interoperability of assets that exist within Ethereum. This multi-asset approach allows attackers to spread out their risk and maximize recovery efficiency. Stablecoins (USDT, USDC) are instantly freshly liquid while wrapped assets (WETH or WBTC) offer deeper protocol level integration with DEXes/lending protocols. Such attacks are rarely opportunistic. These usually involve extracting smart contracts and liquidity and usually require precise timing. This exploit pattern seems the playbook for TrustedVolumes, leveraging technical weaknesses and capital market structures to conduct impactful attacks. Increasing Monthly Share of Exploits Indicates Systemic Weakness The most worrying fact is that this is the fifth DeFi exploit in the same month. This indicates that it is more systemic than isolated, which may put many layers of the decentralized ecosystem in jeopardy. Every exploit chips away at precisely that confidence not only in the afflicted actors, but all of DeFi. Repeated security breaches present significant worries for risk management, regulatory oversight, and the long term viability of the sector to institutional investors as well as newcomers. Auditing, bug bounty programs and formal verification have all advanced yet attackers keep finding entry points. This suggests that existing security measures, even though getting better, are still not effective against bad actors who are still evolving towards more sophisticated behaviours. One thing the industry is currently faced with is whether it can evolve its security standards faster than new threats rise. Response From the Industry and Continued Monitoring 1inch acknowledged that it is carefully following the situation and working with its security partners in response to the exploit. These types of coordinated responses are the new norm in DeFi, where speed and information sharing are essential elements to containing the damage. Meanwhile, blockchain analytics firms and security platforms track the attackers’ on-chain activity to detect patterns of exploitation and allow forensic investigations that may be used to freeze the effort when possible. However, due to the pseudonymous nature of blockchain transactions, recovery is a tedious process. Details surrounding the incident with TrustedVolumes further highlights why we should be transparent. Addressing this breach upfront is an important step and reassures users, do your homework to mitigate misinformation during these times. A Defining Moment For The Maturity Of Security In DeFi With the growth of the DeFi ecosystem, TrustedVolumes exploit serve as stark reminders of dangers inherent to open monetary systems. Innovation and accessibility come along with a set-in-stone trade-off, and security happens to be one of them. The return of familiar attackers, the increase in monthly exploits, and the sophistication of multi-asset breaches suggest that this is both an industry maturing and a hint into vulnerability. Going forward greater cooperation between protocols, liquidity providers and security companies will be needed. In the end, sustainable growth in DeFi will depend on the sector’s ability to create scalable, yet resilient systems. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !

7 May 2026, 09:08

KelpDAO exploiter’s wallets get liquidated on Aave

Aave DAO has voted to liquidate the frozen ETH funds from the KelpDAO hack. Aave has worked with KelpDAO, the LayerZero team, EtherFi, Compound, and other counterparties to recover as much funds as possible. The Arbitrum Governance process asked for approval to release 30,765.67 ETH frozen by the Arbitrum Security Council to become a part of a coordinated remediation effort. The end goal is to make all rsETH holders whole by restoring the wrapped token’s ETH backing in full. As Cryptopolitan reported , the ability to freeze and claw back funds has created a precedent in the crypto space, sparking controversy on the ability to compensate for earlier hacks. For now, the Arbitrum Security Council has only partially intercepted the hacker’s transactions. As a result of the hack, KelpDAO has also decided to move its cross-chain infrastructure to Chainlink’s CCIP ecosystem. Previously, KelpDAO considered the Layer Zero cross-chain tools to be one of the main reasons for the $292M exploit. 90% of Aave representatives voted for the liquidation According to Aave, a total of 1,600 addresses backed by 190M ARB tokens voted in favor of unfreezing the funds. Currently, the ETH is under the control of Arbitrum DAO. The decision achieved a strong approval of over 90% during the week of voting. Aave considers the decision a precedent for future recovery efforts in DeFi hacks. Stani Kulechov, the founder of Aave, announced that additional steps are coming to make Aave whole and compensate the bad loans. As part of the technical implementation plan for rsETH recovery, the attacker’s position has now been liquidated on both Ethereum and Arbitrum. This was an incredible technical effort by all contributors involved. Following up with the next steps shortly. https://t.co/KI9EOBXWU3 — Stani (@StaniKulechov) May 6, 2026 The Aave protocol also used its internal protection mechanisms against the hacker. After the exploit, some of the rsETH was used in attempts to take additional loans. However, when the token’s risk crossed a certain threshold, the hacker was liquidated. Despite this, Aave on Arbitrum estimated bad loans between $170M and $230M. Aave strives to recover normal lending Aave stabilized its value locked at above $15B following the initial outflow of $10B. Some of the leading vaults have improved their health, with utilization rates falling below 100%. The WETH lending vault has a utilization above 93%, while the USDT and USDC vaults sit at 92% and 91%. Aave stablecoin vaults have started normalizing their utilization and yield rates after the wave of withdrawals. | Source: AaveScan. The utilization rates signal the run to withdraw from Aave has ended, but the overall effect is lower lending activity, which may have to go through a long recovery. Lending in total has fallen by 35% in the past 30 days, while stablecoin liquidity has fallen by 46.3% for the past month, based on Aavescan data . Despite this, the average lending rate has normalized to 2.76%, while the borrowing rate sits at 4.08%, with variations between specific vaults. Despite the drop, Aave lending is healthier compared to the 2022 crash, and is still considered central to DeFi activity. Following the initial shock, the AAVE token stabilized at around $94, still showing weak signs of recovery despite the overall crypto market improvement. The protocol has retained its GHO tokens at over $538M, with no recent supply burned. If you want a calmer entry point into DeFi crypto without the usual hype, start with this free video.

7 May 2026, 09:00

Blockaid detects $5.87mln TrustedVolumes exploit – Here’s what happened!

2026 is proving to be one of DeFi's most difficult years as Blockaid also identifies a new vulnerability.

7 May 2026, 08:49

TrustedVolumes Hack Drains $6.7M, Team Opens Bounty Talks

TrustedVolumes was exploited today, May 7, 2026 and has lost almost $6.7 million. The attackers discovered a flaw in the proxy contract and by exploiting the flaw, the attackers managed to drain funds. The breach highlights rising security threats across DeFi infrastructure. Today, on May 7, 2026, alerts from blockchain security firm Blockaid signaled that TrustedVolumes, a major liquidity provider and market maker for the 1inch ecosystem, had been exploited on the Ethereum network. The attacker extracted approximately $6.7 million in assets (according to TrustedVolumes), including 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC, according to Blockaid and Web3 security firms. The incident is being investigated as a sophisticated smart-contract exploit rather than a traditional phishing smart-contract exploit or social engineering attack, underlining persistent vulnerabilities in decentralized finance (DeFi) protocols. What Went Wrong in the TrustedVolume Exploit? At the centre of all this chaos was a custom RFQ (Request for Quote) swap proxy contract , 0xeeee….1756, controlled by TrustedVolumes. The attacker, operating from the address 0xc3eb….9100, deployed a malicious contract that first called ‘registerAllowedOrderSigner(signer=0xc3eb…9100, allowed=true)’ on the settlement contract, effectively granting itself authorization to execute trades. Leveraging the TrustedVolumes Market Maker’s unlimited approval to the settlement contract, the attacker initiated multiple settlement transaction, using selector 0x4112e1c2 to withdraw large amounts of WETH, USDT, WBTC and USDC units to the market maker. This allowed the attacker to drain the liquidity pool before the funds were transferred back to the exploit address. Security analyses indicate that the vulnerability stemmed from insufficient access controls and lack of strict validation checks in the RFQ swap proxy. A core admin function was left publicly accessible and it did not have any restrictions. This allowed the attacker to bypass security checks and exploit the contract. This mirrors earlier incidents, such as the March 2025 1inch Fusion v1 exploit, where similar oversights in legacy smart contracts allowed attackers to drain liquidity, though the current exploit targets different contract component. The attack indicates the risks of custom, high risk pathways in DeFi systems that interact directly with large liquidity pools. TrustedVolumes Opens Bug Bounty Talks After $6.7 Million Exploit TrustedVolumes publicly acknowledged the recent exploit and confirmed through an X (formerly known as Twitter) post that several wallet addresses are currently holding the stolen funds. The team in the post also talks about the estimated loss which was around $6.7 million across multiple Ethereum addresses. In its statement, TrustedVolumes said that the platform is open to discuss with the attacker over a possible bug bounty agreement and a workable resolution. The protocol also shared direct contact details, including ProtonMail and Telegram, so anyone with useful information can reach out and potentially help recover stolen assets. The incident once again highlights rising security risks for DeFi protocols and liquidity providers. Is This Exploit Similar to Recent DeFi Attacks? The TrustedVolumes exploit shares parallels with several high-profile DeFi breaches in 2026, particularly those involving cross-chain and restaking protocols. Moreover, the Drift Protocol exploit on Solana, which resulted in a $285 million loss, utilized social engineering to compromise the protocol’s multisig governance and durable nonces, allowing pre-signed transactions to be executed. In the same way, KelpDAO exploit , linked to approximately $292-294 million in losses, exploited vulnerabilities in its LayerZero-based rsETH bridge, where manipulated cross-chain messaging led to the issuance of unsupported rsETH tokens. These incidents collectively highlight a trend: custom, high-complexity components in DeFi, such as RFQ proxies, cross-chain bridges, and governance mechanisms, are prime targets for sophisticated actors. The TrustedVolumes exploit, like the Drift and KelpDAO cases, demonstrates how single points of failure in smart contracts or infrastructure can trigger cascading effects across the ecosystem. Additionally, the Lazarus Group, a North Korea-linked hacking collective, has been associated with such large-scale DeFi heist, leveraging their expertise in cross-chain attacks and operational flaws. The Role of AI in Exploits: The Lazarus Theory There are speculations going around that the Lazarus group may be leveraging artificial intelligence (AI) to accelerate and automate exploit discovery. AI tools can analyze vast amounts of on-chain data, identifying patterns in contact interactions, gas usage, and user behaviour to pinpoint vulnerabilities faster than traditional methods. For example, machine learning models can simulate attack scenarios, optimizing for maximum yield in minimal time, as seen in cross-chain exploits targeting protocols like KelpDAO. Impact on DeFi and the Broader Ecosystem The TrustedVolumes exploit adds to a wave of high-value DeFi hacks in 2026, contributing to more than $13-15 billion in TVL (Total Value Locked) outflows across major protocol like Aave and Compound. These incidents have eroded user confidence, with many platforms halting operations or implementing emergency pauses to mitigate further losses. The repeated targeting of market makers and liquidity providers highlight systemic risks, as disruptions in these roles can cascade into broader liquidity crunches and price volatility. For protocols like KelpDAO and Drift, the impact includes not only direct financial losses but also reputational damage and regulatory scrutiny. The KelpDAO rsETH bridge exploit, for example led to questions about the security of cross-chain infrastructure, prompting calls for enhanced audits and isolations of critical components. Similarly, the Drift exploit emphasized the need for robust governance and multi-signature safeguards. The TrustedVolumes incident serves as a reminder that even well-audited projects with established security measures remain vulnerable to evolving attack vectors. Recommendations for the DeFi Community To avoid such exploits in the future, DeFi protocols should adopt strict allowlists and invariant checks for all swaps and proxy pathways, treating resolver/operator flows as high-risk surfaces. There should be continuous on-chain monitoring, emergency kill-switch mechanisms, and regular audits are essential to detect and respond to anomalies promptly. Additionally, isolating custom components behind robust access controls can prevent unauthorized interactions, as highlighted by the TrustedVolumes vulnerabilities. As AI-driven attacks become more sophisticated, collaboration between security firms and AI developers is crucial to develop proactive defenses. The DeFi ecosystem must prioritize transparency, resilience, and rapid response to maintain trust and make sure there is sustainable growth. With the KelpDAO and Drift Protocols under increased scrutiny, the lessons from incidents like TrustedVolumes could shape a more secure future for decentralized finance. Also Read: Bitcoin Surges Past $81K While Altcoins Hint at a Comeback

7 May 2026, 08:30

US Bitcoin Reserve Plan Nears Major White House Update

White House crypto advisor Patrick Witt said the Trump administration will announce new details on the US Strategic Bitcoin Reserve within “the next few weeks,” framing the update as both a policy milestone and a custody response after an alleged exploit involving digital assets held by the US Marshals Service. Speaking at Consensus 2026 in Miami on Wednesday, Witt said the administration’s work on the Strategic Bitcoin Reserve, or SBR, and the separate digital asset stockpile had been progressing largely out of public view. The next announcement, he indicated, will focus on “exactly the progress that’s been made and where we’re going from here.” Trump’s Bitcoin Reserve Heads Toward New Update President Donald Trump signed an executive order in March 2025 establishing the Strategic Bitcoin Reserve and a US Digital Asset Stockpile, with the bitcoin reserve capitalized by BTC finally forfeited to the Treasury through criminal or civil asset forfeiture proceedings. The non-bitcoin stockpile covers other forfeited digital assets under a separate framework. Related Reading: Bitcoin Breaks $80,000, But On-Chain Activity Signals A Silent Warning Witt tied the coming update directly to a recent security incident. “So, as many of the folks in this room may have seen, there was an exploit of certain assets that were held by the US Marshals just a month or two ago. We obviously started the work on the SBR, the digital asset stockpile, without thinking about that, but obviously thinking about we need to properly secure these assets. So it’s a case in point for why it was so necessary that the President established the SBR and that he instructed the agencies to take these assets very seriously and properly safeguard them.” He added that digital asset custody creates challenges that do not fit neatly into legacy government asset-management procedures. “Custody is unique for digital assets. So we’ve made a tremendous amount of progress that’s kind of happened in the background and we’ll be making an announcement in the next few weeks, you know, laying out exactly the progress that’s been made and where we’re going from here.” The exploit Witt referenced appears to be the alleged theft tied to John Daghita, also known online as “John” or “Lick.” The case became public after blockchain investigator ZachXBT linked the “John/Lick” persona to wallets moving funds connected to US government-controlled crypto addresses. TRM Labs later said Daghita was arrested in Saint Martin in a joint operation involving the French Gendarmerie and the FBI, with authorities alleging he stole cryptocurrency from wallets associated with the US Marshals Service. Related Reading: Bitcoin Seasonality Flashes Bullish May Signal After Two Green Months According to TRM’s summary, the investigation traced part of the activity to cryptocurrency seized in connection with the 2016 Bitfinex hack. TRM said approximately $24.9 million of the traced funds originated from a US government-controlled wallet, while ZachXBT alleged that Daghita stole more than $46 million in seized crypto assets by abusing access at CMDSS, his father’s company, which held a US Marshals Service contract. Notably, Witt had already previewed the update days earlier at Bitcoin 2026 in Las Vegas. Speaking on a panel at The Venetian Resort, he said the administration had spent months working through the legal interpretations needed to protect bitcoin on the government balance sheet after Trump’s executive order. “In the next few weeks, we’ll be making a big announcement,” Witt said there, adding that the administration believed it could take a “big step forward from the executive branch side” even before Congress acts. He also made clear at Bitcoin 2026 that legislation would still be needed to lock the policy in more permanently. That distinction is central: an executive-branch framework can shape custody and management now, but a statutory framework would be harder for a future administration to unwind. At press time, BTC traded at $81,530. Featured image created with DALL.E, chart from TradingView.com