A $26 million exploit of the offline computation protocol Truebit was caused by a smart-contract vulnerability that allowed an attacker to mint tokens at almost no cost, underscoring ongoing security risks even for long-established blockchain projects.
As reported by Cointelegraph on Friday, the attack triggered a 99% collapse in the price of the Truebit (TRU) token.
According to a post-mortem released Tuesday by blockchain security firm SlowMist, the attacker exploited a flaw in the protocol’s smart-contract logic that made it possible to mint “massive amounts of tokens without paying any ETH.”
SlowMist explained that the issue stemmed from missing overflow protection in an integer addition used to calculate the ETH required to mint TRU tokens. As a result, the contract generated an incorrect output, effectively reducing the token price calculation to zero.
This allowed the attacker to drain the contract’s reserves by minting approximately $26 million worth of TRU at near-zero cost.
The vulnerable contract was compiled using Solidity 0.6.10, a version that lacked built-in overflow checks. When calculations exceeded the maximum value of a uint256, they silently overflowed and wrapped around to a small value close to zero, enabling the exploit.
The incident highlights that even well-established blockchain protocols remain vulnerable to attacks. Truebit launched on the Ethereum mainnet in April 2021, nearly five years ago, underscoring that longevity alone does not guarantee security.
Interest in smart-contract security intensified late last year after an Anthropic study found that commercially available artificial intelligence agents were able to identify $4.6 million worth of smart-contract exploits.
According to a research paper published by Anthropic’s red team, which focuses on uncovering vulnerabilities before they can be exploited by malicious actors, Claude Opus 4.5, Claude Sonnet 4.5, and OpenAI’s GPT-5 collectively developed exploits valued at $4.6 million when tested against smart contracts.
Smart-contract vulnerabilities emerged as the largest attack vector in 2025, accounting for 56 security incidents across the crypto industry, according to SlowMist’s year-end report. Account compromises followed closely with 50 incidents.
Overall, contract-related flaws made up 30.5% of all crypto exploits during the year, while hacked X (formerly Twitter) accounts represented 24%, and private key leaks ranked third at 8.5%.
At the same time, hackers are increasingly shifting away from protocol-level exploits toward targeting weaknesses in onchain human behavior.
Crypto phishing scams became the second-largest threat in 2025, resulting in $722 million in losses across 248 incidents, according to blockchain security firm CertiK.
Unlike traditional hacks, phishing attacks rely on social engineering rather than code vulnerabilities, with attackers distributing fraudulent links to trick victims into revealing sensitive information such as wallet private keys.
Despite the scale of the threat, investor awareness appears to be improving. Losses from phishing in 2025 were 38% lower than the $1 billion stolen in 2024, suggesting better detection and prevention efforts.
