The Truebit protocol has confirmed a security incident involving one of its smart contracts on 7 January. The on-chain exploit resulted in the loss of more than 8,500 ETH, valued at approximately $26–26.5 million at current prices.
In a statement posted on X, Truebit said it had identified malicious activity linked to the “Truebit Protocol: Purchase” contract at address 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2, and urged users not to interact with the contract until further notice.
The team said it is working with law enforcement and will provide updates through official channels.
Pricing flaw enabled free token mints
While Truebit has not yet disclosed technical details of the vulnerability, on-chain analysis indicates the exploit stemmed from a pricing logic failure in the contract’s getPurchasePrice[uint256] function.
The function reportedly returned a zero price for unusually large mint requests, allowing attackers to mint tokens at no cost.
Using this flaw, the attacker was able to repeatedly mint and sell tokens back into the protocol’s bonding curve, draining ETH reserves through a rapid buy-sell loop.
One of the primary exploit transactions used a function explicitly labeled “Attack”.
The majority of the stolen funds were consolidated into a single address, with a smaller portion routed to a secondary wallet.
Funds moved through Tornado Cash
Shortly after the exploit, roughly half of the stolen ETH was routed through Tornado Cash, according to transaction records.
The rapid use of mixing services suggests the exploit was deliberate and pre-planned, rather than opportunistic.
Truebit TRU token price collapses
The exploit had an immediate market impact. The TRU token fell sharply following the incident. It dropped more than 60%, from around $0.16 to $0.005 in a single 12-hour candle on major exchanges.
The drop reflects traders’ reaction to the scale of the loss and uncertainty around remediation.
Exploit reflects broader trend in crypto crime
The Truebit incident comes amid a broader rise in crypto-related crime.
Data from Chainalysis shows that illicit cryptocurrency transactions increased sharply in 2025, primarily driven by stolen funds and activity associated with sanctioned entities.
The data showed a jump to approximately $154 billion in 2025.
The trend highlights how economically motivated attacks continue to target weaknesses in smart contract logic, particularly those tied to pricing and token issuance mechanisms.
At the time of writing, Truebit has not announced recovery plans or whether users will be made whole.
The team has reiterated that updates will be shared via its official communication channels.
Final Thoughts
- The Truebit exploit highlights how pricing and boundary-condition bugs remain among the most dangerous smart contract risks, even without complex attack vectors.
- The incident adds to growing evidence that economically motivated exploits continue to scale alongside broader crypto adoption.
