A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January had likely practiced the technique on smaller targets first, according to blockchain analytics firm Chainalysis.
A Contract Left Exposed For Years
The Truebit exploit was the largest of four incidents Chainalysis identified in a new 보고 covering the past six months. Together, those attacks — targeting Truebit, Trusted Volumes, Aperture Finance, and Ekubo — account for roughly $37 million in losses, all traced back to contracts whose source code had never been publicly verified on blockchain explorers.
The Truebit contract had been sitting on 이더리움 since 2021. It was compiled using Solidity v0.5.3, a version released before automatic overflow protections became standard. An attacker found an integer overflow flaw inside its bonding curve mechanism and used it to mint large quantities of tokens at minimal cost before converting them to ETH.
Why Closed Code Creates Open Risk
Verified contracts get reviewed. Bug bounty hunters read them. Independent researchers flag problems before attackers do. Unverified contracts get none of that scrutiny, and many bug bounty programs specifically exclude them from coverage — meaning vulnerabilities can sit untouched for years while millions of dollars flow through the affected code.
That gap is what Chainalysis says attackers are now exploiting. Each of the four compromised contracts lacked publicly available source code. Attackers worked instead from decompiled bytecode, converting raw on-chain code into readable output using tools like Dedaub, Heimdall, and Panoramix.
Once decompiled, the code can be fed into AI systems capable of spotting reentrancy flaws, arithmetic errors, and access-control weaknesses at a scale no human reviewer could match.
The $36.7 million figure is a fraction of total DeFi losses during the same period — Chainalysis puts the broader six-month theft total above $1 billion. But the firm argues the unverified contract problem could grow as automated analysis tools become cheaper and easier to use, allowing attackers to scan large numbers of dormant contracts and rank them by exploitability.
The Vulnerabilities Varied, But The Pattern Did Not
Across the four incidents, the specific bugs differed. Reports indicate weaknesses ranged from integer overflow and access-control failures to input-validation errors and identity verification flaws.
What they shared was the same protection gap: no public source code, no external review, and no real-time monitoring in place to catch abnormal activity before the funds were gone.
Chainalysis is recommending that protocols treat source-code verification as a baseline requirement for any contract holding user assets.
The firm also says audits and bug bounty coverage should extend to implementation contracts sitting behind proxy structures — components that often go unreviewed even when the front-facing contract is verified.
Featured image from CybersecAsia, chart from TradingView
한국어 
English 
Română 
Eesti 
日本語 
Русский 
Deutsch 
Español 
简体中文 
Français 
繁體中文 
Português 
Italiano 
Polski 
Türkçe 
Nederlands 
Bahasa Indonesia 
Ελληνικά 
Українська 
Български 
Čeština 
Suomi 
Magyar 
Latviešu valoda 
Lietuvių kalba 
Norsk bokmål 
Slovenčina 
Slovenščina 
Svenska
답글 남기기