Truebit Protocol Suffers $26 Million Smart Contract Exploit, TRU Token Plummets

The Truebit Protocol, an integral Ethereum verification and computation layer, has fallen victim to a sophisticated smart contract exploit on Thursday, resulting in the theft of assets valued at over $26 million. Following the disclosure of the attack, Truebit’s native token, TRU, experienced a catastrophic 100% collapse from its $0.16 valuation, effectively rendering its price near zero.

Truebit promptly confirmed the security incident via its official X (formerly Twitter) account, stating, “We became aware of a security incident involving one or more malicious actors. The affected smart contract is 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2 and we strongly advise the public not to interact with this contract until further notice. We are in contact with law enforcement and taking all possible measures to address this situation.”

Today, we became aware of a security incident involving one or more malicious actors. The affected smart contract is 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2 and we strongly advise the public not to interact with this contract until further notice. We are in contact with law…

— Truebit (@Truebitprotocol) January 8, 2026

The Scale of the Loss: Over 8,500 ETH Drained

While Truebit’s official statement did not specify the exact stolen amount, on-chain analytics firm Lookonchain provided a detailed estimate. According to their analysis, the attackers siphoned off approximately 8,535 Ethereum (ETH), valued at an estimated $26.6 million at the time of the incident.

Unpacking the Vulnerability: A Flaw in a Five-Year-Old Contract

Independent blockchain researcher Weilin Li offered critical insights into the nature of the exploit. Li’s analysis suggests that the attack likely stemmed from a smart contract deployed by Truebit a staggering five years ago. A critical flaw was identified within the “minting” function’s pricing mechanism, which allowed the malicious actors to acquire vast quantities of TRU tokens at a cost significantly below their market value.

Weilin Li further detailed that the exploit was executed by two distinct hackers. One attacker reportedly made off with approximately $26 million, while the second individual profited around $250,000 from the same vulnerability.

The “Archaeology” Trend: Old Contracts, New Dangers

In a stark warning to the broader blockchain ecosystem, Weilin Li highlighted an emerging “archaeology trend” among cybercriminals. This modus operandi involves hackers actively seeking out older, often forgotten smart contracts that, despite their age, still retain critical permissions and functionalities. These dormant contracts become prime targets for exploitation, as they may contain vulnerabilities that were overlooked or simply not discovered at the time of their initial deployment.

This incident underscores a persistent challenge in DeFi security, where even established protocols remain vulnerable to sophisticated exploits. The Truebit hack follows a string of high-profile smart contract attacks in recent months. Last November, the DeFi protocol Balancer lost over $120 million due to a smart contract vulnerability. More recently, projects such as Bunni, Nemo Protocol, Hyperdrive, and Yearn Finance have also reported similar security breaches, highlighting the urgent need for continuous auditing and robust security practices across the Web3 landscape.