Currencies38120
Market Cap$ 2.27T+2.11%
24h Spot Volume$ 34.09B+2.96%
DominanceBTC56.37%+0.63%ETH9.41%-0.02%
ETH Gas0.09 Gwei
Cryptorank
/

Crypto Hackers Drain Over $36M From Protocols Using Unverified Contracts


Crypto Hackers Drain Over $36M From Protocols Using Unverified Contracts

Share:

AI Overview

A hacker drained $26 million from Ethereum protocol Truebit in January by exploiting an integer overflow in an unverified contract compiled with Solidity v0.5.3, part of four attacks that totaled $36.7 million over six months while DeFi thefts exceeded $1 billion in the same period. Chainalysis says attackers are decompiling unverified smart contracts and using automated and AI-powered analysis to find flaws, and recommends mandatory source-code verification, broader audits and bug bounty coverage for implementation and proxy contracts to improve crypto security and reduce token and protocol risk.

Bearish

Predictions Markets

See what traders are focused on

View analytics →
Prediction Banner

A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January had likely practiced the technique on smaller targets first, according to blockchain analytics firm Chainalysis.

A Contract Left Exposed For Years

The Truebit exploit was the largest of four incidents Chainalysis identified in a new report covering the past six months. Together, those attacks — targeting Truebit, Trusted Volumes, Aperture Finance, and Ekubo — account for roughly $37 million in losses, all traced back to contracts whose source code had never been publicly verified on blockchain explorers.

The Truebit contract had been sitting on Ethereum since 2021. It was compiled using Solidity v0.5.3, a version released before automatic overflow protections became standard. An attacker found an integer overflow flaw inside its bonding curve mechanism and used it to mint large quantities of tokens at minimal cost before converting them to ETH.

Why Closed Code Creates Open Risk

Verified contracts get reviewed. Bug bounty hunters read them. Independent researchers flag problems before attackers do. Unverified contracts get none of that scrutiny, and many bug bounty programs specifically exclude them from coverage — meaning vulnerabilities can sit untouched for years while millions of dollars flow through the affected code.

That gap is what Chainalysis says attackers are now exploiting. Each of the four compromised contracts lacked publicly available source code. Attackers worked instead from decompiled bytecode, converting raw on-chain code into readable output using tools like Dedaub, Heimdall, and Panoramix.

Once decompiled, the code can be fed into AI systems capable of spotting reentrancy flaws, arithmetic errors, and access-control weaknesses at a scale no human reviewer could match.

The $36.7 million figure is a fraction of total DeFi losses during the same period — Chainalysis puts the broader six-month theft total above $1 billion. But the firm argues the unverified contract problem could grow as automated analysis tools become cheaper and easier to use, allowing attackers to scan large numbers of dormant contracts and rank them by exploitability.

The Vulnerabilities Varied, But The Pattern Did Not

Across the four incidents, the specific bugs differed. Reports indicate weaknesses ranged from integer overflow and access-control failures to input-validation errors and identity verification flaws.

What they shared was the same protection gap: no public source code, no external review, and no real-time monitoring in place to catch abnormal activity before the funds were gone.

Chainalysis is recommending that protocols treat source-code verification as a baseline requirement for any contract holding user assets.

The firm also says audits and bug bounty coverage should extend to implementation contracts sitting behind proxy structures — components that often go unreviewed even when the front-facing contract is verified.

Featured image from CybersecAsia, chart from TradingView

Read the article at NewsBTC

In This News

Coins

$ 64.01K

+2.86%

$ 1.78K

+2.18%

Predictions Markets

See what traders are focused on

View analytics →
Prediction Banner

Share:

In This News

Coins

$ 64.01K

+2.86%

$ 1.78K

+2.18%

Predictions Markets

See what traders are focused on

View analytics →
Prediction Banner

Share:

Read More

Ethereum Gas At 1 Gwei Gives Mainnet Users A Rare Cheap Window

Ethereum Gas At 1 Gwei Gives Mainnet Users A Rare Cheap Window

Ethereum mainnet is rarely described as cheap, but 1 gwei gas changes the tone. For u...
Aave V4 Gas Optimization Push Shows DeFi Is Still Fighting Its Cost Problem

Aave V4 Gas Optimization Push Shows DeFi Is Still Fighting Its Cost Problem

Aave’s V4 discussion is a useful reminder that DeFi’s next cycle will not be won only...