The decentralized finance (DeFi) sector has just endured yet another multi-million-dollar breach.
According to alerts from prominent blockchain security firms SlowMist and PeckShield, hackers managed to drain approximately $5.9 million in Ethereum, Wrapped Bitcoin (WBTC), and stablecoins from trading protocol Trusted Volumes.
This has happened due to a fundamental flaw in the protocol’s core signature validation logic. The flaw has made it possible for the attacker to bypass authorization checks and forge trading orders.
Zcash (ZEC) Is Crypto’s Number One, Toncoin (TON) Dwarfs Solana (SOL), XRP Finally Breaks Key Resistance, but What’s Early: Crypto Market Review
Bollinger’s Model Says ‘Buy’ Bitcoin
A fatal flaw
Trusted Volumes is a DeFi trading protocol built upon a Request for Quote (RFQ) architecture. They operate similarly to decentralized Over-The-Counter (OTC) desks.
An RFQ system facilitates peer-to-peer trading, which sets it apart from traditional Automated Market Makers (AMMs) like Uniswap.
A “taker” requests a price quote, and a “maker” offers a firm price. Both parties cryptographically sign the order, and the smart contract settles the swap. Users have to grant the protocol broad approval to move their funds. Hence, flawless cryptographic signature verification is essential for the security of an RFQ network.
In this case, the devastating security breach was caused by a logical error within the protocol’s fillOrder function.
According to PeckShield, the total haul amounted to $5.9 million. SlowMist’s autopsy of the drained assets revealed a massive pile consisting of 1,291 ETH ($3.02 million), 16.94 WBTC ($1.37 million), 1.26 million USDC, and 206,000 USDT.
The bad actor immediately started laundering the stolen funds (to no one’s surprise). On-chain data confirms the attacker laundered the stolen stablecoins and Wrapped Bitcoin through a decentralized exchange.