A $26 million exploit of the offline computation protocol Truebit stemmed from a smart-contract flaw that allowed an attacker to mint tokens at near-zero cost, highlighting persistent security risks even in long-running blockchain projects.
$26 million exploit that resulted in a 99% crash for the Truebit (TRU) token, Cointelegraph reported on Friday.
The attacker abused a loophole in the protocol’s smart-contract logic, which enabled them to mint “massive amounts of tokens without paying any ETH,” according to blockchain security company SlowMist, which published a post-mortem on Tuesday.
“Due to a lack of overflow protection in an integer addition operation, the Purchase contract of Truebit Protocol produced an incorrect result when calculating the amount of ETH required to mint TRU tokens,” SlowMist said.
The smart contract’s price calculations were then “erroneously reduced to zero,” enabling the attacker to drain the contract’s reserves by minting $26 million worth of tokens “at nearly no cost,” the post mortem said.
Since the contract was compiled with Solidity 0.6.10, the prior version didn’t include built-in overflow checks, which caused calculations exceeding the maximum value of “uint256” to result in a “silent overflow,” causing the result to “wrap around a small value near zero.”
Related:
The exploit shows that even the more established protocols are threatened by hackers. Truebit was launched on the Ethereum mainnet almost five years ago in April 2021.
Smart-contract security attracted interest at the end of last year, when an Anthropic study revealed that commercially available artificial intelligence (AI) agents had found of smart contract exploits.
Anthropic’s Claude Opus 4.5, Claude Sonnet 4.5 and OpenAI’s GPT-5 collectively developed exploits worth $4.6 million when tested on smart contracts, according to a research paper released by the AI company’s red team, dedicated to discovering code vulnerabilities before malicious actors can find them.
Related:
Smart-contract vulnerabilities were the largest attack vector for the cryptocurrency industry in 2025, with 56 cybersecurity incidents, while account compromises ranked second with 50 incidents, according to SlowMist’s year-end .
Contract vulnerabilities accounted for 30.5% of all the crypto exploits in 2025, while hacked X accounts accounted for 24% and private key leaks for 8.5% in third place.
Meanwhile, other hackers are switching strategies from protocol hacks to exploiting weak links in onchain human behavior.
emerged as the second-largest threat of 2025, costing crypto investors a cumulative $722 million across 248 incidents, according to blockchain security platform CertiK.
are social engineering schemes that don’t require hacking code. Instead, attackers share fraudulent links to steal victims’ sensitive information, such as the private keys to crypto wallets.
Still, investors are becoming more aware of this threat, as the $722 million was 38% less than the $1 billion stolen through in 2024.
Magazine:
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy
