2026-01-09 07:23:23

DeFi oscillates again, another "Black Swan" event.

The Truebit Protocol on the Ethereum base layer experienced a serious security incident, with over $26 million stolen. Its native token TRU plummeted from $0.16 to nearly zero. The event unfolded within just a few hours, catching investors off guard.

**Quick Overview of the Key Information**

Key data at a glance👇
- 8,535 ETH transferred out of the contract
- Loss amount approximately $26 million
- TRU token price nearly zero
- The vulnerability stemmed from a historical code flaw in the smart contract

**Discovery and Confirmation**

The story began with an alert from on-chain security firm Cyvers. They detected an abnormal transaction and traced it to confirm that the core smart contract of Truebit was being drained of funds continuously. The hacker’s address ultimately accumulated 8,535 ETH, completely emptying the protocol’s treasury.

Market reactions were swift—investors immediately fled upon seeing the risk signals, causing TRU’s price to fall freely, with market capitalization evaporating entirely.

**Official Response**

The Truebit team issued an emergency statement on social media, confirming a serious security incident and immediately issuing a risk warning: temporarily avoid interacting with related contracts.

Officially, the following actions were disclosed:
- Reported the incident to law enforcement proactively
- Fully advanced the investigation process
- Explored feasible remediation plans

**Vulnerability Analysis**

According to in-depth tracking by on-chain researchers, this attack did not exploit a new zero-day vulnerability but rather a legacy flaw in the minting function of the contract—such issues are often forgotten by development teams but become "keys to the door" for hackers.

This incident once again exposes the weaknesses in smart contract auditing within the Ethereum ecosystem and serves as a wake-up call for the entire DeFi industry.

ETH-6,41%

TRU-3,13%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

15 Likes

Reward
15
5
Repost
Share

Comment

0/400

HappyMinerUncle

· 01-12 06:35

Old vulnerabilities, these things are really hard to prevent... another forgotten time bomb in the code. --- That's why I never go all-in on ecosystem tokens; too many teams are just in it for quick gains. --- 20.6 million gone, tru reset to zero, and investors are about to suffer another round of heavy losses. --- Cyvers responded quickly; if it weren't for their warning, who knows how long it would have taken for things to go bad. --- Reporting to law enforcement? Uh... these things usually just end in a dead end, everyone knows it. --- Smart contract audits sound good, but in reality, it's just gambling. So many projects have passed audits before but still ended up exploding. --- The Ethereum ecosystem has been sounded the alarm again, but next time someone will still dare to deploy with old code; after all, retail investors are the ones who lose out.

View OriginalReply0

SmartContractPhobia

· 01-09 07:53

Old vulnerabilities piling up, this is Web3 Another old bug exposed, audits really need to reflect and improve TRU directly drops to zero, investors are the final bagholders Wait, why are so many contracts still legacy issues? Don't developers review them? 26 million suddenly gone, this is the reality of DeFi, right?

View OriginalReply0

ForkItAll

· 01-09 07:52

Old vulnerabilities haven't been thoroughly audited, so what innovation are we talking about? It's the smart contract's fault again, why hasn't anyone learned to audit? 26 million just gone like that, it's hilarious. Why didn't Truebit think to check the historical code? Hackers find loopholes, development teams slack off, it's an eternal routine. Our circle really needs to learn something. Historical vulnerabilities can become "master keys," this audit is just formalism. Another "we have reported to the police," this routine is getting old. 85,035 ETH evaporated directly, investors will have to lose money again. The Ethereum ecosystem still needs to work harder.

View OriginalReply0

BoredApeResistance

· 01-09 07:32

Old vulnerabilities can be exploited like this, these project teams really deserve to be fined. Once again, poor audits, money gone, and people run away. We retail investors are always the last to know. 26 million USD just gone like that. This industry is really getting more and more outrageous. It feels like there's a black swan every week, I'm so exhausted. Don't they check the contract code? What kind of lousy audit is this? Old vulnerabilities can actually remain for so long. Who the hell wrote this code? Kindergarten level, right? Another project drained dry. This track is really hopeless.

View OriginalReply0

ETHmaxi_NoFilter

· 01-09 07:28

Another one? Is contract auditing just a show? --- 85,350 ETH just gone, unbelievable --- Old vulnerabilities can still be exploited, I really don't understand what these teams are thinking --- TRU directly hits zero, investors have to cut losses again --- Every time they say to strengthen audits, every time problems recur. When will they learn? --- Fallen from 0.16 to 0, dreams shattered within hours --- What’s the use of on-chain security alerts? Hackers were in long ago --- 26 million should be considered tuition fees; the risks in this circle are really high --- How many more "legacy" issues like this are in the contract? It's terrifying when you think about it --- Just one official statement "avoid interaction" and that's it? Can the money be recovered?

View OriginalReply0