- Truebit suffers a $26 million exploit.
- It comes as attacks targeting older DeFi protocols increase.
Truebit, an Ethereum-based verification protocol, has been left reeling after a hacker stole $26 million from the protocol’s reserves.
The hacker targeted a bug in the protocol’s code, tricking it into giving away 8,535 Ether tokens at around 4pm London time on Thursday. Shortly after, the protocol was exploited again, with a cybercriminal stealing just under $300,000 worth of the protocol’s TRU token.
The impacted smart contract was deployed in 2021, and there is no public record that it had undergone a third-party audit.
Truebit has since acknowledged the exploits in an X post.
“We are in contact with law enforcement and taking all available measures to address the situation,” the protocol said.
The incident comes after cybercriminals stole over $2.5 billion in raids against crypto projects in 2025, DefiLlama data shows.
Attacks against older protocols
The Truebit attack also highlights a growing trend of hackers targeting smart contracts at older DeFi protocols, Weilin Li, a DeFi security researcher and PhD student at University College London, said in an X post discussing the exploit.
In November, a hacker stole $128 million from DeFi liquidity protocol Balancer. The exploited smart contract had been live on Ethereum since 2021 and had undergone multiple audits.
Other older DeFi protocols to suffer exploits in recent months include, Yearn Finance’s v1 vaults and Rari Capital, both launched in 2020, and Ribbon Finance, launched 2021.
Smart contracts at these protocols were written at a time when fewer developers were aware of critical code vulnerabilities that are now more widely known.
Many older DeFi protocols are not actively maintained but still hold significant amounts of crypto, making them prime targets for hackers.
Some DeFi developers say the trend can be attributed to hackers using artificial intelligence to find and exploit protocols.
Maths problem
The Truebit exploit was the result of an attack vector known among security experts as integer overflow — in other words, a maths problem.
When a smart contract needs to calculate something, a code error can cause it to produce a number bigger than the maximum limit it can store. This causes the value to wrap around to an unexpectedly small or negative number, which attackers can leverage to bypass security checks, manipulate balances, and steal funds.
Integer overflow exploits are not a new phenomenon.
Multiple DeFi protocols have fallen victim to them over the years. The prevalence of the issue means those developing and auditing new smart contracts now rigorously check for integer overflows and similar math problems.
Still, sometimes such bugs slip through the cracks.
In July, Cetus, a decentralised exchange on the Sui blockchain, fell victim to an integer overflow exploit. The bug allowed a hacker to trick the protocol into thinking they had more funds than they did, ultimately leading to the theft of some $220 million worth of crypto.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
