The TrustedVolumes RFQ proxy has a critically broken fill function. The EIP-712 signature commits to (makerToken, takerToken, makerAmount, takerAmount, maker, counterparty, expiry, salt), and the contract checks _allowedOrderSigner[signedMaker][recoveredSigner]. But the function also takes unsigned calldata that does the actual transfer - including the real from address, real token, and real amounts. Nothing binds the executed from to the signed maker.
Loss
$5.87M
Risk
Signature/Execution Parameter Mismatch — AI-flagged
Confidence
88%
Instant Forensic Report · x402 on Solana
Pay once with SOL via x402 — the machine-to-machine payment protocol on Solana. Full wallet trace, fund flow graph, exploit PoC, and PDF export unlocked instantly.
x402 · HTTP 402 payment required · Solana Mainnet · Demo mode
Reporter Agent synthesis with forensic confidence scoring
The TrustedVolumes RFQ proxy has a critically broken fill function. The EIP-712 signature commits to (makerToken, takerToken, makerAmount, takerAmount, maker, counterparty, expiry, salt), and the contract checks _allowedOrderSigner[signedMaker][recoveredSigner]. But the function also takes unsigned calldata that does the actual transfer - including the real from address, real token, and real amounts. Nothing binds the executed from to the signed maker.
Type: Signature/Execution Parameter Mismatch. See source analysis for full root-cause breakdown.
confidence score
Signature/Execution Parameter Mismatch — AI-flagged
Attacker path, bridge transfers, token drains, mixer usage
Signature/Execution Parameter Mismatch
Signature/Execution Parameter Mismatch
https://etherscan.io/tx/0xc5c61b3ac39d854773b9dc34bd0cdbc8b5bbf75f18551802a0b5881fcb990513https://etherscan.io/address/0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31Emergency Bridge
Move funds off Ethereum
If your assets are at risk on Ethereum, bridge them to a safer chain immediately via LI.FI — the cross-chain aggregator covering 60+ chains and all major Solana bridges.
From (at risk)
Ethereum
Bridge to
Best Route via LI.FI
Ethereum → Ethereum
Mayan Swift • Across • Glacis aggregated
Est. Fee
~$0.50
60+ chains · gasless swaps on Solana · Jito bundles
60+
Chains
$2B+
Volume
20+
Bridges
2026-05-07
The TrustedVolumes RFQ proxy has a critically broken fill function. The EIP-712 signature commits to (makerToken, takerToken, makerAmount, takerAmount, maker, counterparty, expiry, salt), and the contract checks _allowedOrderSigner[signedMaker][recoveredSigner]. But the function also takes unsigned calldata that does the actual transfer - including the real from address, real token, and real amounts. Nothing binds the executed from to the signed maker.
Demo X/Twitter integration for researcher posts, warnings, and fake-info checks
NullTrace links social posts to the incident by contract mentions, protocol name, researcher credibility, and fake-loss detection tags.
DefimonAlerts
@DefimonAlerts · 2026-05-07
The TrustedVolumes RFQ proxy has a critically broken fill function. The EIP-712 signature commits to (makerToken, takerToken, makerAmount, takerAmount, maker, counterparty, expiry, salt), and the contract checks _allowedOrderSigner[signedMaker][recoveredSigner]. But the function also takes unsigned calldata that does the actual transfer - including the real from address, real token, and real amounts. Nothing binds the executed from to the signed maker.
DefimonAlerts
@DefimonAlerts · 2026-05-07
The TrustedVolumes RFQ proxy has a critically broken fill function. The EIP-712 signature commits to (makerToken, takerToken, makerAmount, takerAmount, maker, counterparty, expiry, salt), and the contract checks _allowedOrderSigner[signedMaker][recoveredSigner]. But the function also takes unsigned calldata that does the actual transfer - including the real from address, real token, and real amounts. Nothing binds the executed from to the signed maker.
Generated incident narration for security leadership
briefing ready · 00:58 · analyst-grade summary