Chainalysis has indicated that in the decentralized finance (DeFi) ecosystem, there is a rather concerning trend that is gaining momentum. That being, cybercriminals are increasingly zeroing in on smart contracts whose source code remains hidden from public view. According to recent analysis by blockchain intelligence firm Chainalysis, this approach has yielded at least $36.7 million in stolen funds over the past six months, highlighting how obscurity can backfire as a security tactic.
Unlike the majority of prominent DeFi projects that openly verify their code on platforms like Etherscan, a subset of protocols opts for closed-source deployments.
This strategy aims to withhold a clear blueprint from potential threats.
However, determined adversaries are bypassing this barrier by reverse-engineering the raw bytecode.
Modern decompilation tools now make this process more accessible, and the integration of artificial intelligence is supercharging exploit discovery.
Large language models (LLMs) can scan decompiled code for weaknesses—such as arithmetic errors, access control issues, or input validation flaws—at a scale and speed unattainable by traditional manual reviews.
Chainalysis identified exploits on five protocols where the vulnerable contracts were unverified at the time of attack.
The largest incident targeted Truebit, a tokenized asset platform, resulting in a $26.2 million loss on January 8, 2026.
The flaw involved an integer overflow in a bonding curve mechanism within a contract originally deployed in 2021 using an older Solidity version lacking built-in overflow protection.
An attacker manipulated inputs to mint vast quantities of tokens at negligible cost before draining ETH through buybacks.
Evidence suggests the perpetrator employed systematic scanning, having executed a smaller exploit days earlier.
Other cases include Trusted Volumes ($5.9 million loss due to an access control vulnerability in a swap proxy), Aperture Finance ($3.2 million from an input validation bypass), and Ekubo ($1.4 million tied to callback identity verification failures).
These incidents underscore that unverified contracts, while evading casual inspection, still attract significant capital—and thus interest from sophisticated threat actors.
At first, targeting unverified contracts might appear inefficient, as decompiled bytecode is less readable than original Solidity. Yet several dynamics tilt the scales in attackers’ favor.
First, AI-powered pipelines lower the expertise threshold dramatically; what once demanded days of expert effort can now involve automated triage of thousands of contracts.
Second, these contracts miss out on the “wisdom of the crowd”—white-hat researchers, auditors, and community developers who routinely scrutinize open code. Third, bug bounty programs frequently exclude unverified elements, leaving gaps in incentivized discovery.
This pattern represents a shift. While total DeFi losses exceed $1 billion across dozens of incidents in the same period (mostly involving verified contracts), the rise of unverified targets signals a maturing attacker playbook enabled by technological advances.
Protocols must adapt swiftly. Verifying all source code on block explorers—especially implementation contracts behind proxies—should become standard practice.
Audits need to encompass live deployments, not just initial plans, and bug bounties should cover every fund-holding contract regardless of legacy status.
For cases where verification lags, real-time on-chain monitoring tools offer a vital safety net by detecting anomalous behavior before drains complete.
As AI capabilities advance, relying on code obscurity grows riskier. The blockchain ecosystem’s expanding inventory of unverified contracts creates a fertile hunting ground for automated exploitation. Chainalysis has concluded that developers and users should prioritize transparency and proactive monitoring to safeguard assets in this threat landscape.