The attacker behind the Trusted Volumes exploit has returned 1,122 ETH to the protocol while retaining a roughly $2 million bounty, an on-chain settlement that underscores the growing trend of negotiated outcomes in DeFi security incidents. The partial recovery, confirmed by Etherscan, closes a chapter of the May 7 exploit that drained approximately $5.9 million through a vulnerability in the project’s RFQ swap proxy.
What happened: The wallet linked to the original attack moved 1,122 ETH (valued near $2 million) back to Trusted Volumes’ inventory. The remaining funds—around $2 million—remain with the attacker as what appears to be a de facto bounty. Security firm Halborn published a technical breakdown of the exploit, which involved a signature-check bypass allowing unauthorized fund transfers.
This outcome reflects a familiar DeFi pattern: after an exploit, protocols often track attacker addresses on-chain and negotiate a return rather than pursue legal channels. The arrangement, while recovering part of the assets, raises questions about legitimacy and transparency. “The return is verifiable on-chain, but ambiguity around retained funds erodes user trust faster than the exploit itself,” noted the reporting.
For incident response, the case signals that clear disclosure—detailing exactly what was recovered, what was kept, and under what terms—is critical. Trusted Volumes now faces the task of rebuilding confidence by publishing a thorough post-mortem and demonstrating that the underlying vulnerability has been fixed.