A professional liquidity provider operating inside the 1inch decentralized exchange network is being actively drained of at minimum approximately $6 million, according to Web3 security monitoring firm Blockaid. The target is TrustedVolumes, a resolver firm that settles user swap orders through 1inch's Fusion protocol. Blockaid flagged the incident on May 7, 2026, and characterized the drain as ongoing at the time of reporting. Critically, the firm says the attacker appears to be the same entity responsible for a March 2025 exploit that pulled roughly $5 million from the same victim.

A Repeat Attacker, a Familiar Vulnerability

The March 2025 attack exploited a flaw in Fusion V1, the original version of 1inch's gasless swap system. Fusion routes user orders to approved resolvers instead of the open blockchain mempool, which normally protects traders from front-running bots. The problem was that 1inch deprecated Fusion V1 in 2023 but never disabled the underlying smart contract, meaning it remained callable on-chain.

The attacker in that earlier incident exploited an integer underflow bug buried in a low-level function written in Yul, a specialized assembly language used in Ethereum smart contracts. By setting a parameter called interactionLength to a large negative value (specifically -512, represented in two's complement as 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00), the attacker caused the contract's memory arithmetic to wrap around and write forged data into the wrong location.

That forged data pointed to TrustedVolumes as the legitimate resolver, tricking the trusted 1inch settlement contract into calling resolveOrders() on TrustedVolumes and transferring funds directly to the attacker. The attack ran across ten transactions at a single Ethereum block (block #21,982,111).

The mechanism used in the current May 2026 attack has not been publicly confirmed. It is unknown at the time of reporting whether the same Fusion V1 calldata exploit is being repeated or whether a different vulnerability is being exploited.

Nine separate audit firms had reviewed the code over a roughly two-year period without catching the flaw.

After the March 2025 incident, the attacker returned most of the stolen funds following a negotiation and retained roughly $450,000, approximately ten percent of the haul, as what the attacker framed as a "bug bounty." They also left a brief on-chain message: "Can I have bounty?"

Rekt.news noted at the time that the attacker incorrectly transferred half of the stolen funds to the 1inch settlement contract itself.

Blockaid's Detection and the "Ongoing" Characterization

Blockaid and 1inch announced a formal security partnership in June 2024, making the firm a well-positioned first line of detection for threats inside the 1inch ecosystem. Blockaid operates as an independent, real-time security monitor and does not wait for protocol teams to raise an alarm before flagging suspicious activity. In late April 2026, the firm similarly identified a live admin-key compromise affecting Wasabi Protocol across Ethereum and Base before Wasabi made any public statement.

In the TrustedVolumes case, Blockaid's description of the drain as "ongoing" suggests it is actively tracking fund movements in real time. The $6 million figure reported should be treated as a floor rather than a final number.

Token and Protocol Context

The 1INCH token was trading near $0.099 as of May 6, 2026, near multi-year lows, with roughly $14.5 million in 24-hour trading volume and a circulating supply of approximately 1.4 billion tokens. That prices the protocol's implied market cap at around $138 million.

Despite token weakness, 1inch itself processes roughly $400 million in daily swap volume and holds more than 59% of the EVM-based DEX aggregator market by share, operating across 13 or more chains including Ethereum, BNB Chain, Arbitrum, Base, and Polygon. The incident also occurs against a backdrop of mounting losses across decentralized finance: more than $770 million has been drained from DeFi protocols in 2026 year to date, with April 2026 recorded as the worst single month in the history of DeFi hacks.

TrustedVolumes, separately, handles over $1 billion in daily transactions and offers roughly 10% annual yield to users who delegate 1INCH tokens through its resolver infrastructure.

Regional Stakes: Nigeria, India, and the Cost of Deprecated Code

This incident carries particular weight for users in South Asia and sub-Saharan Africa. According to CryptoNewsNavigator's reporting on the 2026 Global Crypto Adoption Index, India ranks first globally in overall crypto adoption, with more than 100 million users.

Nigeria ranks second globally and first specifically in DeFi value received, with 32% of adults owning or using crypto.

Pakistan ranks eighth globally, while Kenya, ranked thirteenth, and Ethiopia, ranked tenth, both appeared in the top 20 for the first time.

Stablecoin usage in sub-Saharan Africa grew more than 180% year over year, driven by remittances, savings, and merchant payments.

These are not fringe markets. Retail users in Lagos, Nairobi, Karachi, and Mumbai increasingly rely on DEX aggregators like 1inch for low-cost cross-border swaps, specifically because layer 2 fee reductions have made DeFi practically accessible.

A repeat exploit on a major resolver, carried out by the same attacker who already struck once and negotiated a payout, risks reinforcing regulatory skepticism in markets where crypto frameworks are currently being written. India and Pakistan, for example, are both actively drafting crypto regulations, with Pakistan's Crypto Council and the Pakistan Virtual Assets Regulatory Authority having launched in March 2025.

The Broader Warning

The core lesson from both attacks is straightforward: deprecated contracts must be actively disabled, not just removed from documentation. As Halborn noted after the March 2025 incident, "Fusion V1 was deprecated in 2023 but never disabled. Resolvers could continue using it indefinitely, accumulating technical debt with no forcing function to upgrade."

The calldata corruption class of vulnerability is not unique to 1inch. This incident stands as a broader warning: any DeFi protocol using resolver or order-settlement architecture on EVM chains should treat it as a prompt to audit any legacy contracts still sitting live on-chain, regardless of whether those contracts appear in current user flows.

At the time of publication, neither 1inch nor TrustedVolumes had issued a public statement. The total amount drained may rise as the situation develops.