A hacker linked to the May attack on TrustedVolumes, a liquidity resolver integrated with 1inch Fusion, has returned 1,122.12 ETH, valued at approximately $2.07 million. The settlement took place over two months after the exploit, reflecting an increasingly common trend toward direct negotiations between DeFi projects and attackers.
Settlement returns half of stolen ETH
The transferred funds represent about half of the stolen assets from the initial breach. As part of the negotiated bug bounty, the attacker reportedly retained a similar amount of ETH, according to Defimon Alerts. At the time of the return, Ether was priced around $1,843.
Both TrustedVolumes and the hacker confirmed the agreement through an on-chain message. The communication stated that negotiations were finalized and encouraged any remaining attackers involved in the incident to make contact with the company for potential further settlements.
More than two months after the $5.8 million exploit, one of the attackers returned 1,122 ETH, valued at $2 million. The parties confirmed that the funds were returned and the hacker accepted their bug bounty, with an open invitation for other participants in the incident to reach out.
TrustedVolumes indicated a willingness to engage constructively on bug bounties immediately following the exploit and maintained this offer in recent communications.
Details of the TrustedVolumes exploit
TrustedVolumes operates as a resolver in the 1inch Fusion Request-For-Quote (RFQ) marketplace, facilitating liquidity provision for token exchanges. On May 7, the system was compromised, resulting in withdrawals worth approximately $5.87 million, later estimated at up to $6.7 million when including all asset values and related losses.
According to cybersecurity firm Blockaid, the attacker stole several assets including 1,291 WETH, 1.26 million USDC, 206,282 USDT, and 16.93 WBTC. The breach was traced to specific resolver contract and RFQ proxy addresses on Ethereum. Etherscan classified the main attacker wallet as a TrustedVolumes exploit address.
Investigations showed that the exploit was not the result of stolen keys or undisclosed vulnerabilities, but rather an access-control flaw. Halborn, a blockchain security company, discovered that a public function allowed anyone to register as an authorized order signer, permitting attackers to process unauthorized transfers from approved funds. Blockaid detected the exploit in real time, confirming that neither the broader 1inch infrastructure nor end-user funds were impacted.
Mini dictionary: TrustedVolumes — A protocol serving as a liquidity resolver for 1inch Fusion, enabling efficient token swaps via its RFQ market mechanism.
| Asset | Amount Stolen |
|---|---|
| WETH | 1,291 |
| USDC | 1,260,000 |
| USDT | 206,282 |
| WBTC | 16.93 |
Growing reliance on negotiation in DeFi attacks
The rapid settlement in the TrustedVolumes case illustrates a broader change in strategy across the decentralized finance sector. More projects are opting for negotiated recoveries in response to hacks, rather than depending solely on law enforcement or extended legal proceedings.
Analysts have observed that this practice can offer speedy resolutions but may unintentionally encourage more attacks if cybercriminals see negotiations as a predictable outcome. TRM Labs reported that crypto scams led to $2.87 billion in losses from roughly 150 incidents in 2025, but advances in forensic tracking have increased recovery rates. Notably, firms like Blockaid, CertiK, and SlowMist rapidly identified and followed the movement of stolen assets in the TrustedVolumes incident, giving security teams leverage in subsequent negotiations.
The settlement resolved only part of the theft. The attacker who returned 1,122.12 ETH kept the remaining sum as a bug bounty, while the status of the other stolen assets remains open. Progress in future recoveries may depend on whether additional attackers opt to negotiate or choose to move the funds further, testing the evolving balance between blockchain transparency and the incentive to settle.




