Daily Crypto News & Musings

1inch-Linked Liquidity Provider Drained $5.87M in DeFi Approval Exploit

7 May 2026 Daily Feed Tags: , , ,
1inch-Linked Liquidity Provider Drained $5.87M in DeFi Approval Exploit
LTB

A 1inch-linked liquidity provider has been exploited for nearly $5.87 million after attackers abused stale wallet approvals and a contract permission path that should never have been left exposed.

  • $5.87 million stolen from a 1inch-related liquidity provider
  • Old approvals abused — no fresh malicious signature needed
  • Trusted Volumes resolver contract was the target
  • WETH, USDT, WBTC, and USDC were drained
  • DeFi hacks in 2026 keep stacking up

The attack centered on a Trusted Volumes resolver contract tied to the 1inch ecosystem. In plain English, a resolver contract is part of the plumbing that helps route or validate orders inside a DeFi system. It is supposed to make things work smoothly. Instead, a public function in that contract appears to have handed attackers a way to add themselves as an “Allowed Order Signer”, which gave them the authority to move assets using permissions victims had already granted long ago.

That’s the ugly part. The exploit reportedly did not require victims to sign fresh malicious transactions. No new warning pop-up, no last-second “are you sure?” moment, no obvious phishing bait. The old approvals did the heavy lifting.

Security firm Blockaid described the mechanics bluntly:

“Attackers abused old wallet approvals without requiring users to sign new malicious transactions during exploit.”

And it gets worse. Those stale permissions are exactly the kind of thing many users forget about after using a protocol once or twice. Token approvals are the permissions that let a smart contract move tokens from a wallet. They are useful. They are also a mess if left hanging around forever. Unlimited approvals can become a standing invitation for trouble, especially when a protocol later develops a contract flaw.

Once the attacker had signer status, Blockaid said the vulnerability allowed them to execute malicious orders directly from users’ wallets. That means the exploit was not just a brute-force theft; it was a permissions abuse attack. The attacker didn’t need to trick each victim individually in real time. The protocol’s own setup did the work for them. Efficient, nasty, and exactly the kind of thing that makes DeFi security teams lose sleep.

PeckShield also tracked the theft and confirmed the drained assets:

  • 1,291.16 WETH
  • 206,282 USDT
  • 16.939 WBTC
  • 1,268,771 USDC

That mix tells you what attackers care about: liquid assets that can be moved quickly and monetized without much fuss. Wrapped Ether, stablecoins, and wrapped Bitcoin are all valuable precisely because they are easy to trade and bridge. No moral philosophy, no grand thesis, just theft with a blockchain wrapper on top.

Blockaid said the attacker behind this exploit appears to be linked to the March 2025 1inch Fusion V1 attack. That suggests this may not be a random one-off event, but part of a more persistent campaign. The firm also warned the exploit may still be ongoing, which is the sort of sentence nobody wants to read when funds are already disappearing on-chain.

The sequence here is painfully familiar across DeFi: a contract has a permissioning flaw, attackers find a public entry point, stale user approvals get weaponized, and funds are siphoned without fresh consent. That’s the hidden edge of composability. The same openness that lets DeFi systems plug into each other also creates a lot of ways for one weak link to become a full-blown drainpipe.

This wasn’t an isolated hit, either. It was reportedly the fifth major DeFi exploit in the past month, following other huge incidents, including a $285 million exploit targeting Drift Protocol and a $293 million attack involving Kelp DAO. When losses start piling up at that rate, the “just a few bad actors” excuse gets pretty thin. At some point, it’s fair to call it what it is: a security culture problem.

April 2026 has already seen about $635.2 million in crypto theft, the highest monthly total since the Bybit exploit in 2025, when nearly $1.5 billion was stolen. That doesn’t mean every DeFi protocol is doomed, but it does mean the sector is still shipping complexity faster than it is shipping safety. Powerful systems are nice. Safe powerful systems are better.

For everyday users, the lesson is less glamorous but far more useful: unlimited token approvals are dangerous. They can remain active long after you stop using a protocol. If that protocol later gets compromised, those old permissions can become an open road into your wallet. Self-custody is not the same thing as self-defense. If you grant broad approvals and never revoke them, you may as well leave the spare key under a rock labeled “definitely here.”

DeFi does remove intermediaries, and that matters. It also removes a lot of guardrails, which means users need better habits and protocols need tighter permissions by default. The idea that “trustless” automatically means “safe” is nonsense. Trustless means there’s no banker to save you when the code or the permissions layer goes sideways.

For users who want to reduce exposure, the practical moves are simple:

  • Revoke unused approvals regularly
  • Avoid unlimited permissions unless absolutely necessary
  • Use separate wallets for testing and higher-risk DeFi activity
  • Check contract permissions before interacting with new protocols
  • Be skeptical of anything asking for broad, long-lived access

That won’t stop every exploit, but it will close one of the most common back doors. In DeFi, negligence is often the attacker’s best friend. A little approval hygiene goes a long way.

  • What happened?
    A 1inch-connected liquidity provider was exploited and nearly $5.87 million was drained in crypto assets.
  • How did the exploit work?
    Attackers abused a public function in a Trusted Volumes resolver contract to make themselves an Allowed Order Signer, then used stale wallet approvals.
  • Did victims sign new malicious transactions?
    No. That’s part of what made the exploit especially dangerous.
  • Which assets were stolen?
    WETH, USDT, WBTC, and USDC.
  • Why are token approvals risky?
    Because old approvals can remain active for a long time and can be abused if a protocol’s permissions are compromised.
  • Is this incident isolated?
    No. It comes amid a sharp rise in DeFi hacks in 2026, with multiple major exploits in recent weeks.
  • Is the attacker linked to a previous attack?
    Blockaid said the exploiter appears to be linked to the March 2025 1inch Fusion V1 attack.
  • What does this say about DeFi security?
    Smart contract security and permission management are still major weak points, and “decentralized” does not mean “invulnerable.”

Related Posts