Truebit Loses $26 Million Due to Smart Contract Flaw

Truebit Loses $26 Million Due to Smart Contract Error

Truebit has suffered an exploitation worth $26 million after an overflow error in its smart contract allowed an attacker to issue tokens at nearly zero cost, resulting in a 99% drop in the price of the TRU token.

The attacker exploited a loophole in the logic of the smart contract of the protocol, which permitted them to issue "massive amounts of tokens without paying ETH," according to a post-mortem analysis published by the blockchain security firm SlowMist. "Due to the lack of overflow protection in an addition operation of integers, the acquisition contract of the Truebit Protocol produced an incorrect outcome when calculating the amount of ETH needed to issue TRU tokens," representatives from SlowMist stated.

The price calculations of the smart contract were "incorrectly reduced to zero," allowing the attacker to drain the contract’s reserves by issuing tokens worth $26 million "at an almost nonexistent cost." It is also worth noting that the contract was compiled with Solidity version 0.6.10, and earlier versions lacked automatic overflow checks, leading to incorrect results when exceeding the maximum value of "uint256."

This exploitation highlights the security risks that persist even in older blockchain projects, given that Truebit was launched on the Ethereum mainnet nearly five years ago in April 2021.

A yearly analysis by SlowMist showed that smart contract vulnerabilities represented the largest attack vector in the cryptocurrency industry in 2025, with 56 security incidents, while account compromises ranked second with 50 incidents.