Crypto Hackers Drain Over $36M From Protocols Using Unverified Contracts

A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January had likely practiced the technique on smaller targets first, according to blockchain analytics firm Chainalysis.

A Contract Left Exposed For Years

The Truebit exploit was the largest of four incidents Chainalysis identified in a new report covering the past six months. Together, those attacks — targeting Truebit, Trusted Volumes, Aperture Finance, and Ekubo — account for roughly $37 million in losses, all traced back to contracts whose source code had never been publicly verified on blockchain explorers.

The Truebit contract had been sitting on Ethereum since 2021. It was compiled using Solidity v0.5.3, a version released before automatic overflow protections became standard. An attacker found an integer overflow flaw inside its bonding curve mechanism and used it to mint large quantities of tokens at minimal cost before converting them to ETH.

Why Closed Code Creates Open Risk

Verified contracts get reviewed. Bug bounty hunters read them. Independent researchers flag problems before attackers do. Unverified contracts get none of that scrutiny, and many bug bounty programs specifically exclude them from coverage — meaning vulnerabilities can sit untouched for years while millions of dollars flow through the affected code.

That gap is what Chainalysis says attackers are now exploiting. Each of the four compromised contracts lacked publicly available source code. Attackers worked instead from decompiled bytecode, converting raw on-chain code into readable output using tools like Dedaub, Heimdall, and Panoramix.

Once decompiled, the code can be fed into AI systems capable of spotting reentrancy flaws, arithmetic errors, and access-control weaknesses at a scale no human reviewer could match.

The $36.7 million figure is a fraction of total DeFi losses during the same period — Chainalysis puts the broader six-month theft total above $1 billion. But the firm argues the unverified contract problem could grow as automated analysis tools become cheaper and easier to use, allowing attackers to scan large numbers of dormant contracts and rank them by exploitability.

Across the four incidents, the specific bugs differed. Reports indicate weaknesses ranged from integer overflow and access-control failures to input-validation errors and identity verification flaws.

What they shared was the same protection gap: no public source code, no external review, and no real-time monitoring in place to catch abnormal activity before the funds were gone.

Chainalysis is recommending that protocols treat source-code verification as a baseline requirement for any contract holding user assets.

The firm also says audits and bug bounty coverage should extend to implementation contracts sitting behind proxy structures — components that often go unreviewed even when the front-facing contract is verified.

Featured image from CybersecAsia, chart from TradingView