Crypto Hackers Drain Over $36M From Protocols Using Unverified Contracts
A hacker who stole $26 million from Truebit likely tested the method on smaller targets first. Chainalysis says Truebit was one of four recent DeFi exploits, alongside Trusted Volumes, Aperture Finance, and Ekubo, that together caused about $37 million in losses. In each case, the vulnerable contracts had never had their source code publicly verified. Truebit’s contract, deployed in 2021, used older Solidity code and contained an integer overflow flaw in its bonding curve, letting the attacker mint tokens cheaply and swap them for ETH. Chainalysis argues unverified contracts are especially risky because they avoid normal review, bug bounties, and monitoring. Attackers can decompile bytecode, then use tools and AI to find flaws like reentrancy, access-control, and validation errors. The firm recommends source-code verification as a baseline for any contract holding user funds, including proxy implementation contracts.
