TrustedVolumes’ $6.7 Million Hack Exposes DeFi’s Most Dangerous Weak Spot: Custom Infrastructure

DeFi has spent years hardening its flagship smart contracts. Hackers have noticed — and they’re increasingly attacking everything built around them instead.

That trend was on full display after crypto liquidity provider TrustedVolumes confirmed it lost roughly $6.7 million in a fresh exploit and is now attempting an increasingly common crypto damage-control strategy: negotiating directly with the attacker.

The company said it is open to “constructive communication” and even suggested a potential bounty arrangement if the hacker agrees to return the funds. It’s a familiar playbook in modern DeFi: get exploited, track the wallets, publicly offer terms, and hope the attacker decides that returning most of the funds is safer than trying to cash out stolen assets.

What Actually Happened

According to blockchain security researchers, the exploit didn’t target core infrastructure at decentralized exchange aggregator 1inch itself.

Instead, the attacker reportedly exploited a custom RFQ (request-for-quote) swap proxy controlled by TrustedVolumes — a separate layer used to execute trades more efficiently for liquidity providers.

That distinction matters.

Core protocols like 1inch have spent years being audited, stress-tested, and battle-hardened. But many third-party integrations, custom resolvers, liquidity engines, and proprietary trading tools often receive far less scrutiny despite handling millions in assets.

Blockchain security firm Blockaid said roughly $5.87 million was drained from TrustedVolumes’ Ethereum resolver. The stolen assets reportedly included:

1,291 ETH
206,282 USDT
16.9 BTC
1.26 million USDC

Researchers also believe the wallet may be connected to the same actor behind the March 2025 1inch Fusion exploit, raising fresh concerns that repeat attackers are targeting similar infrastructure weaknesses.

The Rise of “Shadow Infrastructure” Risk

This is becoming one of DeFi’s biggest security problems.

Retail users often assume that if they interact with a well-known platform, their funds are protected by the platform’s primary smart contracts. But modern DeFi stacks are far more complex than that.

Behind every front-end interface sits a web of custom routers, market makers, liquidity resolvers, bridging systems, execution layers, and automation infrastructure.

These backend systems often operate quietly in the background — until they fail spectacularly.

That’s what makes incidents like TrustedVolumes particularly concerning. Users may trust a recognizable brand, but vulnerabilities frequently emerge from third-party infrastructure they never knew existed.

The front door may be secure. The side entrance often isn’t.

Why Hackers Keep Negotiating

One of crypto’s strangest trends is how often protocol hacks now turn into negotiation sessions.

Rather than disappearing immediately, many attackers remain visible on-chain while projects publicly offer bug bounties in exchange for returned funds.

It’s become a rational strategy for both sides.

For protocols, recovering even 70% to 90% of stolen funds is far better than writing off the entire loss.

For hackers, returning funds can reduce legal risk while allowing them to walk away with a “white hat bounty” worth millions.

We’ve seen this repeatedly across DeFi over the past two years. What used to be framed as outright theft increasingly resembles high-stakes ransom diplomacy.

TrustedVolumes appears to be following that exact script.

The company revealed the stolen assets are currently spread across three wallets holding approximately $3 million, $3 million, and $700,000 respectively — a signal that investigators are actively tracking the funds.

The Bigger Problem for DeFi

This hack isn’t just about one liquidity provider losing millions.

It highlights a broader issue across crypto infrastructure: protocols are becoming increasingly modular, but security standards aren’t keeping pace.

As DeFi grows more sophisticated, teams continue adding custom execution layers to improve speed, reduce slippage, and boost profitability.

That innovation creates competitive advantages.

It also creates new attack surfaces.

And hackers are adapting faster than many protocols.

Rather than attacking battle-tested smart contracts directly, they’re hunting for weaker custom-built components that manage significant capital but lack equivalent oversight.

That strategy is working.

Trust Is Becoming DeFi’s Most Valuable Asset

The most damaging part of these hacks isn’t always the stolen funds.

It’s the erosion of trust.

Institutional players entering DeFi want efficiency, but they also want predictability. Repeated infrastructure failures make that much harder.

The irony is hard to ignore: DeFi was built to remove trusted intermediaries, yet users increasingly rely on hidden middle layers they barely understand.

Until protocols secure every part of their operational stack — not just flagship contracts — these attacks will continue.

And hackers know exactly where to look next.