Hacker Takes $5.9M From Ethereum Liquidity Provider’s Trusted Volumes
Early reports framed the incident as a 1″ exploit, but clarified that the protocol was not breached and no user funds were affected.
TrustedVolumes, a liquidity provider on the Ethereum blockchain, lost about $5.9 million to a hacker on Thursday.
The attacker was able to exploit a vulnerability in the custom trading system used by the platform to withdraw the funds, which included ETH, WBTC, as well as USDT and USDC stablecoins.
what happened
According to security firm Blockade, based on the exploit, the stolen funds included 1,291 WETH, around 16.9 WBTC, approximately 206,000 USDT and just under $1.27 million.
The attack works by exploiting a design flaw in LoyaltyVolus' custom order fulfillment system, known as a Request for Quote (RFQ) proxy.
GoPlus Security released details showing that the attacker has registered himself as an allowed “order signer”, which is publicly accessible via “registerAllowedOrderSigner()”.
The function allows anyone to name their own address as a valid signatory for a business they control, and while normally that's harmless enough, the setup function had a different problem: it was collecting money from another address and verifying its authorization.
As detailed in a technical report posted by security researcher Defy Nerd, the attacker used this loophole to challenge the Farmed Volumes Finder contract, which previously authorized the transfer of proxy tokens.
You may also like:
According to them, each time, the proxy pulls the assets from the solution and sends back only one raw USDC unit. The attacker then converted the stolen WETH into ETH and transferred everything to their own wallet.
TrustedVolumes confirmed the exploit and publicly posted the addresses of three wallets containing the stolen funds, asking the hacker to contact them about a “bug bounty and a mutually acceptable solution.”
1 inch distances itself when DeFi hacks continue
Because TrustedVolumes acts as a liquidity provider and market maker on 1inch, some early reports framed the incident as a 1inch exploit.
However, that is incorrect, and both 1inch and Blockaid have issued statements clarifying that the protocol itself was not breached and that no user funds on 1inch were affected. TrustedVolumes works independently on multiple platforms, not just 1 inch.
The attack comes at a particularly difficult time for the DeFi ecosystem as it follows the disastrous month of April in which more than $650 million worth of crypto was stolen from various projects.
KelpDAO and Drift Protocol took $292 million and $285.2 million respectively.
So at $5.9 million, this latest exploit is relatively small. However, the technical complexity of the approach, the deployment of ancillary contracts, the misuse of self-service signer registration, and the exploitation of issuer/funder mismatches in a single transaction, put it in a different category than a simple error or misconfiguration.
