Attacker Exploits Unverified Ethereum Contract, Stealing $26.2 Million From Truebit

Chainalysis said decentralized finance protocols lost at least $36.7 million over the past six months due to hacks targeting unverified smart contracts, with the findings cited by Cointelegraph.

“Decentralized finance (DeFi) protocols have lost at least $36”

Bitcoin World

The largest incident involved Truebit, an Ethereum-based protocol designed to verify computational tasks, where an attacker exploited an unverified smart contract deployed on Ethereum since 2021 and stole $26.2 million.

Bitcoin World

Cryptonews.net reported that the Truebit loss followed an integer overflow vulnerability in a contract that had remained unverified on Ethereum since 2021.

Chainalysis also linked other affected protocols to the same pattern, including Trusted Volumes, Aperture Finance and Ekubo, while details on their individual losses remained limited in the Cointelegraph-cited account.

Chainalysis said recent advancements in decompiler tools and artificial intelligence are making these exploits easier to execute, lowering the barrier to entry for malicious actors.

Bitcoin World quoted Chainalysis describing how smart contracts that once required days of manual analysis by specialized security experts can now be analyzed and exploited at scale using AI-driven tools.

Cointelegraph

Cryptonews.net added that what once required “a skilled reverse engineer spending days on a single contract” can now be partially automated across large numbers of unverified contracts.

The report also challenged the idea that keeping smart contract code private provides security, with Cryptonews.net saying Chainalysis warned that protocols relying on hidden code are increasingly depending on “obscurity as a security measure,” which it said is rapidly losing effectiveness.

Chainalysis recommended source code verification, broader bug bounty coverage and real-time monitoring tools as safeguards against future exploits, according to Cryptonews.net.

“Five protocols saw exploits on unverified smart contracts”

Cointelegraph

Cointelegraph’s account framed the same issue as a transparency requirement, noting that unverified smart contracts lack publicly available source code on blockchain explorers like Etherscan.

Cryptonews.net also placed the $36.7 million report amid a broader rise in crypto exploits, citing DeFiLlama that hackers stole $629.7 million in April alone, the highest monthly total since February 2025.

In June, Arkham reported that the attacker behind the KelpDAO exploit had laundered nearly all of the roughly $220 million in unfrozen stolen funds, while Cointelegraph’s broader context pointed to ongoing security and regulatory scrutiny for the DeFi sector.