A $26 million exploit of the offline computation protocol Truebit stemmed from a smart-contract flaw that allowed an attacker to mint tokens at near-zero cost, highlighting persistent security risks even in long-running blockchain projects.
Truebit suffered the $26 million exploit that resulted in a 99% crash for the Truebit (TRU) token, Cointelegraph reported on Friday.
The attacker abused a loophole in the protocol’s smart-contract logic, which enabled them to mint “massive amounts of tokens without paying any ETH,” according to blockchain security company SlowMist, which published a post-mortem analysis on Tuesday.
“Due to a lack of overflow protection in an integer addition operation, the Purchase contract of Truebit Protocol produced an incorrect result when calculating the amount of ETH required to mint TRU tokens,” SlowMist said.
The smart contract’s price calculations were then “erroneously reduced to zero,” enabling the attacker to drain the contract’s reserves by minting $26 million worth of tokens “at nearly no cost,” the post mortem said.
Since the contract was compiled with Solidity 0.6.10, the prior version didn't include built-in overflow checks, which caused calculations exceeding the maximum value of “uint256” to result in a “silent overflow,” causing the result to “wrap around a small value near zero.”
Related: Fake MetaMask 2FA security checks lure users into sharing recovery phrases
The exploit shows that even the more established protocols are threatened by hackers. Truebit was launched on the Ethereum mainnet almost five years ago in April 2021.
Smart-contract security attracted interest at the end of last year, when an Anthropic study revealed that commercially available artificial intelligence (AI) agents had found $4.6 million worth of smart contract exploits.
Anthropic’s Claude Opus 4.5, Claude Sonnet 4.5 and OpenAI’s GPT-5 collectively developed exploits worth $4.6 million when tested on smart contracts, according to a research paper released by the AI company’s red team, dedicated to discovering code vulnerabilities before malicious actors can find them.
Related: Bitcoin investor loses retirement fund in AI-fueled romance scam
Smart-contract bugs largest attack vector of 2025
Smart-contract vulnerabilities were the largest attack vector for the cryptocurrency industry in 2025, with 56 cybersecurity incidents, while account compromises ranked second with 50 incidents, according to SlowMist’s year-end report.
Contract vulnerabilities accounted for 30.5% of all the crypto exploits in 2025, while hacked X accounts accounted for 24% and private key leaks for 8.5% in third place.
Meanwhile, other hackers are switching strategies from protocol hacks to exploiting weak links in onchain human behavior.
Crypto phishing scams emerged as the second-largest threat of 2025, costing crypto investors a cumulative $722 million across 248 incidents, according to blockchain security platform CertiK.
Crypto phishing attacks are social engineering schemes that don’t require hacking code. Instead, attackers share fraudulent links to steal victims’ sensitive information, such as the private keys to crypto wallets.
Still, investors are becoming more aware of this threat, as the $722 million was 38% less than the $1 billion stolen through phishing scams in 2024.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
