DeFi protocol Trusted Volumes loses $5.9 million in exploit

Decentralized finance protocol Trusted Volumes lost approximately $5.9 million in digital assets after an attacker exploited a critical flaw in its smart contract, according to blockchain security firm PeckShield.

"Our analysis shows the hack was caused by a logical error within the protocol's fillOrder function, allowing the attacker to bypass signature verification," a spokesperson for PeckShield said in a post-mortem report. Blockchain security firm SlowMist also confirmed the details of the exploit.

The total value drained from the liquidity provider for the 1inch network included 1,291 ETH ($3.02 million), 16.94 WBTC ($1.37 million), 1.26 million USDC, and 206,000 USDT. On-chain data shows the attacker immediately began laundering the funds, converting the stablecoins and WBTC into 2,513 ETH through a decentralized exchange.

The incident highlights the security risks inherent in Request for Quote (RFQ) DeFi protocols, which require broad user permissions to move funds. While the amount is not systemically threatening, it undermines user confidence and reinforces the high-risk narrative surrounding smaller, less-audited DeFi projects.

How the Attack Unfolded

Trusted Volumes operates as a decentralized Over-The-Counter (OTC) desk using an RFQ system, which facilitates peer-to-peer trading. In this model, a "taker" requests a price quote, and a "maker" provides one. Both parties sign the order, which is then settled by a smart contract. The security of this entire system hinges on flawless cryptographic signature verification.

The attacker found a vulnerability in the fillOrder function's signature validation logic. This allowed them to forge trading orders without proper authorization, effectively draining the funds that users had given the protocol approval to manage. The decentralized exchange 1inch, which uses Trusted Volumes as a liquidity provider, confirmed its own systems were unaffected by the breach.

This exploit serves as a stark reminder of the constant threats within the DeFi space. As attackers grow more sophisticated, the need for rigorous code audits and security best practices becomes ever more critical for protocols handling user funds.

This article is for informational purposes only and does not constitute investment advice.