TrustedVolumes: $6.7M RFQ Proxy Exploit

A custom RFQ swap proxy let anyone whitelist themselves as an authorized signer. The hacker drained $6.7M, swapped to ETH, and walked.

TrustedVolumes' RFQ swap proxy was drained for $6.7M in early May 2026

On May 8, 2026, DeFi platform TrustedVolumes joined the long list of protocols that learned a contract called a "Custom RFQ Swap Proxy" should not have a function that lets a stranger whitelist themselves as an authorized order signer. The attacker found that function. They used it. TrustedVolumes lost $6.7 million.

RFQ stands for Request For Quote. It is a way DeFi platforms let market makers quote prices to traders without going through a public liquidity pool. Done right, RFQ systems are efficient. Done wrong, they let anyone with the right transaction become the market.

The TrustedVolumes contract had a function intended to manage a whitelist of "authorized order signers." This list controlled who could sign quotes that the system would honor as legitimate. According to crypto researcher Humphrey, who broke down the exploit, the function had a permissions flaw. An attacker could call it directly and add themselves to the authorized signer list. From there, they could sign their own quotes, route trades through the proxy, and effectively drain the contract's holdings into their own wallet.

That is exactly what happened. The hacker added themselves as an authorized signer, executed a series of self-favoring swaps, and drained the contract. They moved fast. According to TrustedVolumes' own post-incident statement on X, the attacker quickly exchanged all assets for 2.513 ETH on a decentralized exchange and distributed the proceeds across three addresses. The conversion to ETH was the key step. ETH is fungible across the Ethereum ecosystem and harder to freeze than the various tokens originally held.

TrustedVolumes confirmed the incident publicly. They posted the addresses currently holding the stolen funds. They updated the estimated loss to roughly $6.7 million. They asked centralized exchanges and stablecoin issuers to flag the funds. As of May 9, 2026, none of the centralized exchanges have publicly announced freezes against the addresses, and the funds have not moved to known mixers yet. The hacker is sitting on 2.513 ETH plus whatever residual tokens spread across the three addresses, waiting for the heat to die down.

The TrustedVolumes hack is small by 2026 standards. The same week, the year-to-date DeFi loss tally was sitting near $700 million. KelpDAO and Drift had already accounted for over $577 million of that. TrustedVolumes was a footnote.

But the pattern matters. The exploit was not a mathematical bug. It was not a flash loan attack. It was not even a private key compromise. It was a contract that let outsiders modify its own permissions. Someone wrote that function. Someone deployed that function. Someone audited the contract or did not bother. The result was the same.

TrustedVolumes has not announced a recovery plan. There is no insurance fund. There is no guarantor. The protocol's users absorb the loss. The team's promise to "work with law enforcement" is the standard DeFi placeholder for "we have no way to get your money back."

The hack lands in a stretch where every week brings another DeFi exploit. The industry has been in this loop since 2020. The dollar amounts go up. The audits keep saying the contracts pass. The hackers keep finding the function nobody noticed. The TrustedVolumes attack is not the year's headline. It is the year's wallpaper.