On July 18, a wallet tied to the TrustedVolumes exploit pushed 1,122 ETH to a multisig address controlled by the protocol team. The transaction was neat. Clean. It told a story of partial restitution. The numbers on chain, however, tell a colder one.
The attacker originally made off with 2,513 ETH. They kept 1,391 ETH. That is not a 50/50 split. That is a 44.6% return rate. The remaining 55.4% – worth roughly $2 million at current prices – was framed as a ‘bug bounty.’ I do not see a bounty. I see a calculated extraction.
Context: The Attack That Wasn't Fully News
TrustedVolumes is not a household name. On May 7, 2024, the protocol lost approximately $5.8 million across ETH, WBTC, and stablecoins. The attack was detected by Shield, a monitoring service. The exact vulnerability was never publicly disclosed. What we know from on-chain data is that the attacker drained multiple asset pools, consolidated the funds into 2,513 ETH, and then waited.
Two months later, they returned half. The other half they labelled as ‘bounty.’ The protocol team accepted. No legal action was reported. No court order. Just a quiet transfer and a public statement that framed the episode as a successful resolution.
But the math does not lie. The protocol lost $5.8 million. The attacker returned the equivalent of $2 million. The remaining $3.8 million net loss still sits on the protocol’s balance sheet. The users who provided liquidity to those pools – they are the ones absorbing the damage.
Core: The On-Chain Evidence Chain
Let me walk through the transaction trail. The attacker’s address – 0x9f8c… – is publicly visible. On May 7, it initiated a series of calls that drained TrustedVolumes’ pools. The stolen assets were swapped to ETH via aggregators. The final balance: 2,513 ETH. That number is exact. No rounding.
On July 18, a single transaction from that address to a known TrustedVolumes multisig sent 1,122 ETH. Gas used: 21,000 units. No internal memo. No smart contract interaction. Just a plain transfer. The remaining 1,391 ETH – currently worth $2.06 million at the time of writing – still sits in the original attacker wallet. It has not moved since.
The protocol’s own statement called the 1,391 ETH a ‘bug bounty.’ But bug bounties are typically disclosed before an exploit, not after. The standard in DeFi is a whitehat return of all funds in exchange for a separate reward – often 10% paid by the protocol. Here, the attacker unilaterally decided to keep 55.4% of the stolen amount. And the protocol accepted.
This sets a dangerous precedent. If attackers can simply declare any retention a ‘bounty,’ then every exploit becomes a negotiation where the attacker holds the leverage. The data shows the average return rate in similar incidents – Poly Network (100%), Aurora (100%), Euler (100%) – is full restitution. TrustedVolumes is an outlier.
The real number to watch is not the 1,122 ETH returned. It is the 1,391 ETH retained. That is the cost of a flawed vulnerability disclosure process.
Contrarian: Correlation Is Not Causation
One might argue that a partial return is better than none. That the protocol at least recovered something. That the attacker showed ‘good faith.’ I disagree.
The attacker’s behavior is rational, not generous. By returning half, they reduce the likelihood of prosecution. They also signal that they are willing to cooperate – on their own terms. The protocol, by accepting, implicitly endorses the attacker’s framing. This creates a moral hazard: future attackers will see that retaining a majority of stolen funds is a viable exit strategy.
Furthermore, the data does not tell us why the attacker returned exactly 1,122 ETH. Was it negotiated? Was it the attacker’s arbitrary figure? The lack of transparency around the communication between the two parties is itself a risk factor. The public only sees the final transaction. The backend negotiations remain hidden.
The silence around the negotiation process is the most expensive asset in this bubble.
There is also the missing $1.8 million. The original loss was $5.8 million. The returned ETH is worth $2 million. The retained ETH is $2 million. That adds to $4 million. Where is the other $1.8 million? The answer likely lies in the conversion rates during the initial swap. The attacker may have incurred slippage or MEV losses. But the discrepancy highlights how imprecise these headline numbers are. ‘Half returned’ sounds clean. The on-chain reality is messier.
Yield is often the interest paid on risk you didn’t know you were taking. The depositors who trusted TrustedVolumes’ smart contracts took that risk. They are the ones who now face an incomplete recovery.
Takeaway: The Next-Week Signal
The attacker’s wallet still holds 1,391 ETH. If that ETH moves to an exchange in the coming weeks, it will signal an intent to cash out. If it remains dormant, it may indicate a longer-term strategy or a future negotiation. Either way, the protocol’s reputation has been permanently tagged.
For me, the lesson is not about TrustedVolumes specifically. It is about the industry’s tendency to celebrate partial wins. A 44.6% return is not a win. It is a loss – just one that is easier to announce.
I trust the code, not the community. And the code here is clear: the attacker still holds 55.4% of the booty. Watch the address, not the press release.