Crypto Hackers Drain Over $36M From Protocols Using Unverified Contracts
A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January had likely practiced the technique on smaller targets first, according to blockchain analytics firm Chainalysis. A Contract Left Exp...
Archive context
Older archive item. Useful for background and entity history, but not a fresh market-moving signal.
A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January had likely practiced the technique on smaller targets first, according to blockchain analytics firm Chainalysis.
A Contract Left Exposed For YearsThe Truebit exploit was the largest of four incidents Chainalysis identified in a new report covering the past six months. Together, those attacks — targeting Truebit, Trusted Volumes, Aperture Finance, and Ekubo — account for roughly $37 million in losses, all traced back to contracts whose source code had never been publicly verified on blockchain explorers.
The Truebit contract had been sitting on Ethereum since 2021. It was compiled using Solidity v0.5.3, a version released before automatic overflow protections became standard. An attacker found an integer overflow flaw inside its bonding curve mechanism and used it to mint large quantities of tokens at minimal cost before converting them to ETH.
Why Closed Code Creates Open RiskVerified contracts get reviewed. Bug bounty hunters read them. Independent researchers flag problems before attackers do. Unverified contracts get none of that scrutiny, and many bug bounty programs specifically exclude them from coverage — meaning vulnerabilities can sit untouched for years while millions of dollars flow through the affected code.
That gap is what Chainalysis says attackers are now exploiting. Each of the four compromised contracts lacked publicly available source code. Attackers worked instead from decompiled bytecode, converting raw on-chain code into readable output using tools like Dedaub, Heimdall, and Panoramix.
Once decompiled, the code can be fed into AI systems capable of spotting reentrancy flaws, arithmetic errors, and access-control weaknesses at a scale no human reviewer could match.
The $36.7 million figure is a fraction of total DeFi losses during the same period — Chainalysis puts the broader six-month theft total above $1 billion. But the firm argues the unverified contract problem could grow as automated analysis tools become cheaper and easier to use, allowing attackers to scan large numbers of dormant contracts and rank them by exploitability.
The Vulnerabilities Varied, But The Pattern Did NotAcross the four incidents, the specific bugs differed. Reports indicate weaknesses ranged from integer overflow and access-control failures to input-validation errors and identity verification flaws.
What they shared was the same protection gap: no public source code, no external review, and no real-time monitoring in place to catch abnormal activity before the funds were gone.
Chainalysis is recommending that protocols treat source-code verification as a baseline requirement for any contract holding user assets.
The firm also says audits and bug bounty coverage should extend to implementation contracts sitting behind proxy structures — components that often go unreviewed even when the front-facing contract is verified.
Featured image from CybersecAsia, chart from TradingView
Why this matters
Chainalysis is showing up inside the Security Incidents theme, so this story is worth tracking for follow-through rather than treating it as a one-off headline.
Original source
Read on NewsBTCRelated market context
Bitcoin’s 14% Q2 drop came as stablecoin market contracts for first time since 2023
Bitcoin’s second-quarter slide unfolded alongside a rare contraction in the stablecoin market, adding another sign that crypto liq...
Federal Reserve minutes draw investor attention as crypto markets brace for rate hike signals
Investor uncertainty grows as potential rate hikes could destabilize crypto markets, highlighting the Fed's influence on digital a...
Kevin Warsh faces scrutiny as new Federal Reserve chairman amid political pressures and crypto conflicts
Warsh's leadership may reshape Fed policies, impacting financial markets and crypto regulation amid heightened political and ethic...
Ethereum outlines roadmap for ‘Lean Ethereum’ upgrades targeting 10,000 TPS and quantum safety
Ethereum's ambitious roadmap could redefine its market position, enhance security, and boost investor confidence if executed timel...
Crypto exchanges are selling stock options and tokenized stocks but users may not own what they think
Bitget launched US stock options this week and says no other major crypto exchange offers them. The product starts with the simple...
Strategy bought time but Bitcoin’s next cycle may need buyers beyond Saylor
Michael Saylor’s Strategy has calmed the immediate panic around its preferred-stock complex, but the company’s latest overhaul poi...