On January 8, 2026, the Truebit protocol suffered a major security breach that resulted in the loss of approximately 8,535 ETH, valued at around $26.4 million at the time. The exploit targeted the protocol’s Purchase smart contract, which managed the minting and burning of TRU tokens using a bonding curve pricing model. This incident quickly became one of the earliest major DeFi hacks of 2026 and exposed the ongoing risks posed by legacy smart contracts still operating in production.
The attacker exploited a flaw in the token pricing logic caused by an integer overflow. By supplying an extremely large input value to the getPurchasePrice(uint256 amount) function, the arithmetic calculation wrapped around, causing the function to return a purchase price of zero ETH. This allowed the attacker to mint an enormous amount of TRU tokens at no cost.
After minting the tokens, the attacker immediately burned them using the sellTRU() function, exchanging the newly minted TRU for ETH held by the contract. This mint-and-burn cycle was repeated multiple times within a single transaction, draining a total of 8,535.363 ETH from the protocol. The attack was executed atomically, leaving little opportunity for intervention once it began.
Become a member
The root cause of the vulnerability was traced to an unprotected integer addition in the Purchase contract. Deployed in 2021 using Solidity 0.5.3, the contract lacked automatic overflow checks for certain arithmetic operations. While SafeMath was used in other parts of the codebase, this specific function remained unprotected. Additionally, the contract imposed no supply caps or transaction limits, making it possible to pass extremely large values without restriction. The source code was also unverified on Etherscan, complicating early detection and review.
The impact of the exploit was severe. The TRU token price collapsed from approximately $0.16 to near zero, effectively wiping out market value and liquidity. Following the attack, the stolen ETH was routed through multiple intermediary wallets and later deposited into Tornado Cash, making recovery efforts more challenging. The Truebit team publicly acknowledged the incident and stated that they were coordinating with law enforcement and external cybersecurity experts, though no compensation plan had been announced at the time of writing.
This incident underscores how seemingly minor oversights in older smart contracts can lead to catastrophic outcomes years later. Missing overflow checks, outdated Solidity versions, and unbounded input parameters remain recurring themes across many major exploits.
Want to know more?
We’ve published a detailed, step-by-step breakdown of the exploit mechanics, root cause analysis, and funds flow in our full blog — Truebit $26M Hack Explained
For teams looking to understand broader exploit trends and prevention strategies, QuillAudits has published the 2025 Web3 Hack Report, which analyzes major incidents, recurring vulnerability patterns, and actionable security lessons from across the ecosystem.
Top comments (0)