Hacker Drains $5.9M From Ethereum Liquidity Provider TrustedVolumes
TrustedVolumes, an Ethereum liquidity provider, lost approximately $5.9 million due to a hacker exploiting a vulnerability in its custom trading system. The attacker abused a design flaw in the order-settlement system, allowing unauthorized withdrawals of ETH, WBTC, USDT, and USDC. TrustedVolumes confirmed the breach and is seeking a resolution with the hacker, while related platforms like 1inch are distancing themselves amid ongoing DeFi security concerns.
TrustedVolumes, a liquidity provider on the Ethereum blockchain, lost about $5.9 million in funds to a hacker on Thursday. The attacker was able to exploit a vulnerability within the custom trading system used by the platform and managed to withdraw the funds, which included ETH, WBTC, as well as USDT and USDC stablecoins. What Happened According to blockchain security firm Blockaid, which caught the exploit as it was happening, the stolen funds included 1,291 WETH, around 16.9 WBTC, roughly 206,000 USDT, and just under 1.27 million USDC. The attack worked by abusing a design flaw in TrustedVolumes’ custom order-settlement system, known as a Request for Quote (RFQ) proxy. GoPlus Security posted a breakdown showing that the attacker registered themselves as an authorized “order signer” using a function called “registerAllowedOrderSigner()” that was publicly accessible. The function allows anyone to designate their own address as a valid signer for trades they controlled, and while normally that would be harmless enough, the settlement function had a separate problem: it checked authorization against one address while actually pulling funds from a different one. As detailed in a technical report posted by security researcher Defi Nerd, the attacker used that gap to execute four drain transactions against the TrustedVolumes resolver contract, which had previously given the proxy permission to move its tokens. According to them, each time, the proxy pulled assets from the resolver and sent only a single raw USDC unit back. Then the attacker converted the stolen WETH back into ETH and forwarded everything to their own wallet. TrustedVolumes confirmed the exploit and publicly posted three wallet addresses holding the stolen funds, asking the hacker to get in touch about a “bug bounty and a mutually acceptable resolution.” 1inch Distances Itself as DeFi Hacks Continue Because TrustedVolumes functions as a liquidity provider and market maker on 1inch, some early reports ...
Comments
Log in to comment