
Chainalysis reports $36M+ stolen from protocols with unverified contracts over six months. Truebit was largest after attackers tested same technique on smaller targets.
Alpha Score of 62 reflects moderate overall profile with strong momentum, moderate value, moderate quality, moderate sentiment.
A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January tested the same technique on smaller targets first, according to blockchain analytics firm Chainalysis. The Truebit exploit was the largest of four incidents that together pulled more than $36 million from protocols using unverified smart contracts over the past six months.
Chainalysis said the attackers targeted contracts that had been deployed but never publicly verified. Unverified contracts lack source code that matches the bytecode on the blockchain, making them harder for security scanners to flag. The Truebit contract had been exposed for years before the attacker found a way to drain it. Smaller heists using the same method preceded the larger attack, the firm said.
The Ethereum ecosystem relies on block explorers like Etherscan to display verified source code. Verification is voluntary. Projects that skip it leave users with no easy way to check what the contract actually does. Chainalysis said attackers are actively scanning for these gaps.
Truebit handles off-chain computation for Ethereum. The attacker exploited a vulnerability in the verification mechanism, according to posts from the project's developers at the time. Chainalysis now says the same vulnerability was present in the unverified contract for years.
For traders, due diligence on smart contracts extends beyond the initial audit. Chainalysis recommended verifying whether a contract's source code is published and matches the bytecode before interacting. The firm said even projects with strong reputations can have unverified code sitting on chain.
The report comes as crypto theft continues to evolve. Hacks and exploits have shifted from exchange hot wallets to DeFi protocols and cross-chain bridges. Unverified contracts are easier targets because they have likely not been audited or monitored. Chainalysis said the four incidents are probably not the last of their kind.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.