•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The decentralized finance (DeFi) sector has suffered another multi-million-dollar breach. Alerts from blockchain security firms SlowMist and PeckShield say hackers drained approximately $5.9 million in Ethereum (ETH), Wrapped Bitcoin (WBTC), and stablecoins from the trading protocol Trusted Volumes.
According to the reports, the incident stemmed from a fundamental flaw in Trusted Volumes’ core signature validation logic. The flaw allowed an attacker to bypass authorization checks and forge trading orders, undermining the protocol’s ability to verify cryptographic signatures.
Trusted Volumes is built on a Request for Quote (RFQ) architecture, which functions more like decentralized over-the-counter (OTC) trading than automated market makers (AMMs) such as Uniswap. In an RFQ setup, a “taker” requests a price quote and a “maker” offers a firm price. Both sides cryptographically sign the order, and the smart contract settles the swap. Because users must grant the protocol broad approval to move their funds, accurate signature verification is critical to RFQ security.
In this case, PeckShield attributes the breach to a logical error in the protocol’s fillOrder function.
PeckShield reported that the total haul was approximately $5.9 million. SlowMist’s analysis of the stolen assets identified the following amounts:
Following the theft, the attacker began laundering the stolen funds. SlowMist’s findings indicate that on-chain activity shows the stolen stablecoins and Wrapped Bitcoin were routed through a decentralized exchange.
Coinbase has launched a High Yield USDC vault within its in-app DeFi lending offering, adding a second lending option that provides exposure to a wider range of collateral assets. The product is powered by Morpho infrastructure and uses vault allocations curated by Steakhouse Financial.
