Security firms SlowMist and PeckShield identified a critical bug in the RFQ contract’s fillOrder function. The flaw allowed attackers to forge orders by registering as authorized signers.

TrustedVolumes has reached out to the exploiter, offering a bug bounty to facilitate the return of funds.

The exploit specifically targeted addresses with unlimited approvals, reigniting industry-wide debates on the safety of custodial setups and high-permission smart contracts.