A $26 million exploit of the offline computation protocol Truebit has been attributed to a critical smart contract vulnerability, causing the Truebit (TRU) token to crash by 99%. The attack, reported by Cointelegraph, allowed an attacker to mint massive amounts of TRU tokens at a near-zero cost.
Blockchain security firm SlowMist, in a post-mortem analysis, detailed that the flaw resided in the protocol's Purchase contract. "Due to a lack of overflow protection in an integer addition operation, the Purchase contract of Truebit Protocol produced an incorrect result when calculating the amount of ETH required to mint TRU tokens," the firm stated. This calculation error effectively reduced the token price to zero, enabling the attacker to drain the contract's reserves.
The vulnerability stemmed from the contract being compiled with Solidity 0.6.10, a version that predates built-in overflow checks. When calculations exceeded the maximum value of a `uint256` variable, a silent overflow occurred, causing the result to wrap around to a small value near zero. Truebit, which launched on the Ethereum mainnet in April 2021, had been operational for nearly five years before the exploit.
The incident underscores persistent security risks in legacy smart contract code. According to SlowMist's year-end report, smart contract vulnerabilities were the largest attack vector in 2025, accounting for 30.5% of all crypto exploits across 56 incidents. This highlights that protocol-level bugs remain a primary threat, even as other methods like phishing scams—which cost investors $722 million in 2025—persist.
Furthermore, the exploit arrives amid growing interest in automated vulnerability discovery. A recent study by Anthropic revealed that AI agents, including Claude Opus 4.5 and OpenAI's GPT-5, were able to identify $4.6 million worth of exploitable smart contract flaws in simulations, indicating a rapidly evolving landscape for both offensive and defensive security tools.
