Synopsis: Hackers exploited an integer overflow flaw in Truebit’s legacy smart contract, minting millions of TRU tokens for near-zero ETH and draining $26 million in liquidity.
A critical security flaw in the Truebit Protocol led to a devastating $26 million exploit. On January 8, 2026, hackers drained approximately 8,535 ETH from the platform. The attack exploited an integer overflow vulnerability in legacy smart-contract code. As a result, the native TRU token crashed by 99%, wiping out most of its market value.
The attacker manipulated a loophole in the protocol’s minting contract. This vulnerability allowed them to create massive amounts of tokens without paying any ETH. The exploit marks one of the first major DeFi hacks of 2026. Moreover, it highlights persistent security risks in blockchain projects.
Truebit is an Ethereum-based protocol designed for verifiable off-chain computation. The platform helps solve scalability issues for complex calculations. However, the exploit targeted a legacy Purchase contract deployed around 2021. This outdated contract remained active and vulnerable to attacks.
How the Integer Overflow Flaw Worked
The root cause stemmed from an integer overflow vulnerability in outdated Solidity code. The contract used version 0.6.10, which lacks built-in overflow checks. On the other hand, newer versions like Solidity 0.8.0 include automatic protection against such flaws.
Blockchain security firm SlowMist conducted a detailed post-mortem analysis. They discovered the contract’s price calculations were erroneously reduced to zero. “Due to a lack of overflow protection in an integer addition operation, the Purchase contract produced an incorrect result,” SlowMist explained. The contract failed to properly calculate the ETH required to mint TRU tokens.
The attacker supplied a carefully crafted large mint amount during the transaction. This input exceeded the maximum value of uint256. Without SafeMath libraries or built-in checks, the calculation wrapped around. Thus, the computed price became near-zero instead of the expected high value.
The buy function then accepted approximately zero ETH as payment. It minted hundreds of millions of TRU tokens based on the bogus low price. Subsequently, the attacker immediately sold these tokens back into the protocol’s reserve pool. This process extracted real ETH from the contract’s liquidity reserves.
Attacker Drained Reserves Through Repeated Cycles
The hacker repeated this mint-and-sell process in rapid loops. Some cycles occurred within the same transaction, scaling up mint amounts continuously. The attacker’s primary wallet address drained around $26 million worth of ETH. Furthermore, a follow-up exploit extracted another $300,000 from the protocol.
The stolen funds were reportedly routed through Tornado Cash for laundering. This made tracking and recovery efforts significantly more challenging. The TRU token price plummeted to near-zero as liquidity evaporated rapidly. Investors watched helplessly as the token-bonding mechanism collapsed under pressure.
Truebit launched on the Ethereum mainnet almost five years ago in April 2021. The protocol once pioneered concepts that influenced optimistic rollups and verification platforms. However, this incident proves even established protocols face threats from legacy code vulnerabilities.
Also Read: India Tightens Grip on Crypto: Live Selfies and Location Checks Proposed
Smart-Contract Vulnerabilities
Smart-contract vulnerabilities represented the largest attack vector for the cryptocurrency industry in 2025. According to SlowMist’s year-end report, there were 56 cybersecurity incidents involving contract flaws. These vulnerabilities accounted for 30.5% of all crypto exploits last year.
Account compromises ranked second with 50 incidents, representing 24% of total attacks. Private key leaks came in third place at 8.5%. Additionally, crypto phishing scams emerged as the second-largest threat of 2025. These social engineering schemes cost investors a cumulative $722 million across 248 incidents.
However, blockchain security platform CertiK noted some positive trends. The $722 million lost to phishing represented a 38% decrease from 2024. Last year, phishing scams had stolen approximately $1 billion from crypto users. This suggests investors are becoming more aware of security threats.
Interestingly, artificial intelligence is now playing a role in discovering vulnerabilities. Anthropic’s research revealed that AI agents found $4.6 million worth of smart-contract exploits. Their Claude Opus 4.5, Claude Sonnet 4.5, and OpenAI’s GPT-5 collectively developed working exploits. The AI company’s red team tested these on various smart contracts.
Lessons for the Blockchain Industry
The Truebit exploit serves as a stark reminder about blockchain security challenges. Old contracts can become ticking time bombs if left unmaintained. Even protocols with years of operation need regular audits and security upgrades.
The team confirmed the incident and urged users to avoid the vulnerable contract. They are now working with investigators and law enforcement agencies. However, no full recovery of the stolen funds has been reported yet.
Security experts emphasize that audits represent only point-in-time assessments. Unmaintained code can expose millions in value years after initial deployment. Projects must implement overflow protections like SafeMath libraries in legacy contracts. Furthermore, teams should consider upgrading to newer Solidity versions with built-in safety features.
This incident demonstrates how attackers increasingly target dormant code in long-running projects. They search for overlooked vulnerabilities in contracts deployed years ago. Therefore, blockchain projects must prioritize ongoing security maintenance and monitoring.
The cryptocurrency industry continues facing evolving threats from sophisticated attackers. Projects must remain vigilant and proactive in addressing potential vulnerabilities. Users should always verify their interactions with older contracts before conducting transactions.
Written By Fazal Ul Vahab C H
