An attacker behind the TrustedVolumes hack has returned 1,122 ETH, valued at approximately $2 million, while retaining a similar amount as a self-declared bounty.

Details of the May Exploit and Partial Recovery

The initial attack in May drained roughly $5.87 million from a TrustedVolumes contract, as traced by blockchain security firm Blockaid. The stolen funds were split across three addresses holding about $3 million, $3 million, and $700,000 respectively. Following the breach, TrustedVolumes sought to negotiate a vulnerability bounty and a constructive dialogue with the exploiter, though no official bounty rate was disclosed.

Blockaid also identified that the assets taken included 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1.27 million USDC before consolidation. The attacker reportedly exchanged these tokens for roughly 2,513 ETH. The returned 1,122 ETH represents just part of the stolen assets, with the retained bounty amount near the same value. The combined worth of the returned and retained ETH is lower than the initial loss due to ETH's price decline since May.

TrustedVolumes has yet to publicly confirm acceptance of the attacker’s bounty terms.

Cause of the Security Breach

According to crypto.news and Blockaid’s investigation, the May 7 attack exploited a custom request-for-quote (RFQ) swap proxy used by TrustedVolumes. Unlike a conventional 1inch swap route, the attacker targeted the company’s Ethereum resolver setup. The RFQ system was designed to quote token prices and process signed trades from TrustedVolumes’ inventory.

Security researchers at Verichains discovered that a public function in the proxy lacked proper access controls. This flaw enabled the attacker to register an address as an approved order signer, allowing creation of transactions that appeared authorized and valid, facilitating the exploit.

This material is provided for informational purposes and does not constitute financial advice.