In a significant blow to the nascent decentralized computing space, the Truebit Protocol fell victim to a sophisticated smart contract exploit on January 8, 2026. Attackers drained approximately 8,535 ETH, valued at around $26.44 million, from the protocol’s reserves. The incident, analyzed by the SlowMist security team, highlights seemingly critical flaws in older Solidity versions and underscores the ongoing risks in DeFi ecosystems.
Truebit Protocol is designed for decentralized offline computations, featuring an algorithmic elastic supply mechanism for its TRU token.
Users can mint TRU by depositing ETH into the Purchase contract, increasing the token supply and ETH reserves.
Conversely, burning TRU allows withdrawal of a proportional share of reserves.
This mint-burn cycle aims to maintain price stability but became the attack vector due to a vulnerability in the price calculation logic.
The core issue stemmed from inadequate overflow protection in the contract’s arithmetic operations.
Compiled with Solidity ^0.6.10, the code lacked built-in overflow checks available in later versions like 0.8.0.
While multiplications used SafeMath to prevent overflows, a key addition operation in the numerator—(v12 + v9)—relied on the native ‘+’ operator without safeguards.
The price formula is: Price = (100 * A² * R + 200 * A * R * S) / ((100 — T) * S²), where A is the mint amount, R is ETH reserves, S is total supply, and T is fixed at 75.
By selecting a massive A value (e.g., 240,442,509,453,545,333,947,284,131 TRU), the attacker triggered an integer overflow in the addition, wrapping the result to near zero after exceeding uint256’s limit (2^256 – 1).
This caused the overall price to compute as zero after integer division, allowing free minting.
The attack unfolded in precise steps. The perpetrator, operating from address 0x6C8EC8f14bE7C01672d31CFa5f2CEfeAB2562b50, first queried the purchase price with the oversized amount, confirming it returned zero.
They then minted the tokens without ETH payment via the mint function (0xa0296215). Immediately after, they burned the tokens using the burn function (0xc471b10b), redeeming 5,105.069 ETH.
This cycle repeated, with each iteration increasing the TRU supply and enabling further arbitrage.
As reserves dwindled, subsequent mints required minimal ETH but yielded high-value tokens, ultimately depleting the contract.
Post-exploit, the stolen funds were swiftly laundered. The 8,535 ETH was split across three new addresses and funneled into Tornado Cash, a privacy mixer, complicating tracing efforts.
On-chain analysis revealed the attacker’s prior activities, including fund movements from Avalanche and BNB Chain via bridges like Rhino.fi, dating back to November 2025. MistTrack, a blockchain analytics tool, flagged these addresses for suspicious behavior.
SlowMist‘s recommendations emphasize proper security practices. For contracts on Solidity versions below 0.8.0, all arithmetic must incorporate SafeMath to mitigate overflows.
Broader advice includes thorough audits, real-time monitoring, and comprehensive risk assessments to preempt such vulnerabilities.
This breach serves as a reminder of DeFi‘s fragility.
As protocols evolve, prioritizing security over innovation is paramount to protect user assets and maintain trust in blockchain technologies. With losses mounting in the sector, incidents like Truebit‘s could spur regulatory scrutiny and (hopefully) drive adoption of safer coding standards.