Loss Exceeding $26 Million: Analysis of Truebit Protocol Security Incident and Tracking of Stolen Funds Flow

marsbitPublicado a 2026-01-09Actualizado a 2026-01-09

Resumen

On January 9, the Truebit Protocol suffered an attack resulting in a loss of 8,535.36 ETH (approximately $26.4 million) due to an exploit in a five-year-old unaudited and unopen-sourced contract. The attack involved a suspected arithmetic logic flaw, possibly due to integer truncation, in an unverified function (0xa0296215). The attacker repeatedly called this function with a minimal msg.value to mint a large number of TRU tokens, which were then burned to withdraw ETH from the contract’s reserves. According to Beosin’s analysis, the stolen funds—totaling 8,535.36 ETH—were primarily transferred to two addresses: 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 (holding 4,267.09 ETH) and 0x273589ca3713e7becf42069f9fb3f0c164ce850a (holding 4,001 ETH). The attacker’s address (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) still retains 267.71 ETH. All related addresses have been flagged as high-risk by Beosin KYT. The incident underscores the importance of security audits, contract upgrades, and incorporating emergency pause mechanisms and modern Solidity safety features to mitigate risks in legacy smart contracts.

Author: Beosin

In the early hours of January 9, an unopen-sourced contract deployed by Truebit Protocol 5 years ago was attacked, resulting in a loss of 8,535.36 ETH (worth approximately $26.4 million). The Beosin security team conducted an analysis of the vulnerability and fund tracking for this security incident and shares the results as follows:

Attack Technique Analysis

For this incident, we take the most significant attack transaction as the analysis subject, with the transaction hash: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014

1. The attacker calls getPurchasePrice() to obtain the price

2. Subsequently calls the flawed function 0xa0296215(), setting the msg.value extremely low

Since the contract is not open-source, it is inferred from the decompiled code that this function has an arithmetic logic vulnerability, such as integer truncation issues, allowing the attacker to successfully mint a large number of TRU tokens.

3. The attacker "sells back" the minted tokens to the contract through the burn function, extracting a large amount of ETH from the contract reserves.

This process is repeated 4 more times, with the msg.value increasing each time, until almost all ETH in the contract is extracted.

Stolen Funds Tracking

Based on on-chain transaction data, Beosin conducted a detailed fund tracking through its blockchain on-chain investigation and tracking platform, BeosinTrace, and shares the results as follows:

Currently, the stolen 8,535.36 ETH, after transfers, are mostly held in 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 and 0x273589ca3713e7becf42069f9fb3f0c164ce850a.

Among them, address 0xd12f holds 4,267.09 ETH, and address 0x2735 holds 4,001 ETH. The address from which the attacker initiated the attack (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) still holds 267.71 ETH. There have been no further fund transfers from these three addresses yet.

Stolen Funds Flow Analysis Diagram by Beosin Trace

The above addresses have been marked as high-risk addresses by Beosin KYT. Taking the attacker's address as an example:

Beosin KYT

Conclusion

This stolen fund incident involves an unopen-sourced smart contract from 5 years ago. For such contracts, the project team should upgrade the contract, introduce emergency pause functions, parameter limitations, and new Solidity security features. Furthermore, security audits remain an essential step for contracts. Through security audits, Web3 enterprises can comprehensively detect smart contract code, identify and fix potential vulnerabilities, and enhance contract security.

*Beosin will provide a complete analysis report of all fund flows and address risks for this incident. Welcome to request it via the official email [email protected].

Preguntas relacionadas

QWhat was the total amount of ETH stolen in the Truebit Protocol security incident?

A8,535.36 ETH, valued at approximately $26.4 million.

QWhich function did the attacker call to exploit the vulnerability in the unopened contract?

AThe attacker called the function 0xa0296215() with a very small msg.value to exploit an arithmetic logic vulnerability, likely due to integer truncation issues.

QHow did the attacker convert the fraudulently minted TRU tokens into ETH?

AThe attacker used the burn function to 'sell back' the minted TRU tokens to the contract, extracting a large amount of ETH from the contract reserves.

QWhat are the two main addresses where the stolen ETH is currently held?

AThe majority of the stolen ETH is held in addresses 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 (4,267.09 ETH) and 0x273589ca3713e7becf42069f9fb3f0c164ce850a (4,001 ETH).

QWhat security measures does Beosin recommend to prevent such incidents?

ABeosin recommends upgrading the contract to include emergency pause functions, parameter limits, and new Solidity security features, as well as conducting thorough security audits to detect and fix potential vulnerabilities.

Lecturas Relacionadas

Chip Stocks Hit Record Highs Since 2000, SaaS Stocks Fall to Yearly Lows: Two Worlds Under the AI Divide

The article highlights a stark divergence in the tech market driven by AI: semiconductor stocks are surging while SaaS stocks plummet. On April 23, Texas Instruments saw its best single-day performance since 2000, with Q1 revenue up 19% and data center revenue surging 90%. Intel also reported blowout results, with revenue far exceeding expectations and its stock rising over 20% after hours. The semiconductor ETF (SMH) is up nearly 28% this year. In contrast, SaaS companies like ServiceNow and IBM experienced historic declines, with ServiceNow dropping 18% despite beating earnings estimates. The software ETF (IGV) has entered a technical bear market, losing about $2 trillion in market cap. The trend, dubbed "SaaSpocalypse," reflects fears that AI agents could reduce the need for software licenses and enable companies to build internal tools instead of relying on SaaS subscriptions. The market is rotating capital from software to semiconductors, betting on AI infrastructure as a safer play. Chip stocks now trade at high valuations—Texas Instruments at a P/E over 50, Intel at 120 times forward earnings—pricing in years of growth. However, this depends on continued massive AI capital expenditure from tech giants. If spending slows, the trend could reverse. For now, the divide persists: chips celebrate, SaaS struggles.

marsbitHace 11 min(s)

Chip Stocks Hit Record Highs Since 2000, SaaS Stocks Fall to Yearly Lows: Two Worlds Under the AI Divide

marsbitHace 11 min(s)

From Robinhood to Polymarket: Is the Era of Integrating All Assets on a Single Platform Coming?

From Robinhood to Polymarket: The Era of All-in-One Asset Platforms Is Coming Asset classes are rapidly converging. Platforms that once specialized in single categories—such as stocks, cryptocurrencies, or prediction markets—are now moving toward offering all three. Robinhood pioneered this model, starting with equities, adding crypto in 2018, and prediction markets in 2025. This strategy has proven resilient: when crypto revenues fell, other segments like options and stocks filled the gap. Now, prediction market leaders Polymarket and Kalshi are moving in the same direction, both announcing perpetual futures trading on April 21, 2026, pending regulatory approval. These futures will cover assets like Bitcoin, gold, and stocks such as Nvidia. This trend mirrors the consolidation seen in consumer tech, like smartphones replacing dedicated cameras and MP3 players. Younger users, accustomed to interacting with multiple asset types from an early age, will increasingly demand unified platforms. A key competitive advantage in prediction markets is collateral utilization—idle assets locked during betting periods. Polymarket’s move into perpetuals may be a strategy to generate yield from that capital, similar to earlier DeFi integrations like PolyAave. As the regulatory landscape evolves, traditional finance is also likely to incorporate crypto and prediction markets, further accelerating this convergence.

marsbitHace 11 min(s)

From Robinhood to Polymarket: Is the Era of Integrating All Assets on a Single Platform Coming?

marsbitHace 11 min(s)

OpenAI Goes Left, DeepSeek Goes Right

On April 24, 2026, DeepSeek released V4, a Chinese large language model offering a free "million-token context window," enabling it to process vast amounts of data like entire books or years of corporate documents in one go. In contrast, OpenAI’s GPT-5.5, released around the same time, is more powerful but significantly more expensive, charging up to $180 per million output tokens. DeepSeek’s strategy represents a shift from a pure AI research firm to a heavy-infrastructure player, building data centers in Inner Mongolia’s Ulanqab to bypass U.S. chip export restrictions. This move, supported by Huawei’s Ascend chips and China’s cheap green electricity, highlights a fundamental divergence in AI development models: U.S. firms focus on high-cost, high-margin services, while Chinese players like DeepSeek prioritize accessibility and affordability. Facing intense talent poaching from tech giants, DeepSeek is seeking a $44 billion valuation funding round to retain researchers and scale infrastructure. Meanwhile, Chinese manufacturers are compressing AI models to run on smartphones, making AI accessible offline and across the Global South. Through open-source models and localized solutions, Chinese AI is empowering non-English speakers and low-income users, driving a form of "digital equality." While Silicon Valley builds walled gardens, DeepSeek and others are turning AI into a public utility—like tap water—flowing freely to those previously left behind.

marsbitHace 37 min(s)

marsbitHace 37 min(s)

Sam Bankman-Fried Backs Off New Trial Request, Keeps Pressure On Judge Removal

Sam Bankman-Fried has withdrawn his request for a new trial, stating he does not expect a fair hearing from Judge Lewis Kaplan, who oversees his criminal case. He withdrew the motion without prejudice, meaning he can refile it after his appeal and a separate request to remove Kaplan from the case are resolved. Bankman-Fried is serving a 25-year sentence for fraud related to the collapse of FTX. The withdrawal followed a court-ordered inquiry into whether he had legal help drafting an earlier filing, which he denied. His efforts to replace the judge and appeal his conviction continue. Outside court, he has sought a pardon, but former President Trump has indicated he will not grant one.

bitcoinistHace 1 hora(s)

Sam Bankman-Fried Backs Off New Trial Request, Keeps Pressure On Judge Removal

bitcoinistHace 1 hora(s)

$292 Million KelpDAO Cross-Chain Bridge Hack: Who Should Foot the Bill?

On April 18, 2026, an attacker stole 116,500 rsETH (worth ~$292M) from KelpDAO’s cross-chain bridge in 46 minutes—the largest DeFi exploit of 2026. The stolen assets were deposited into Aave V3 as collateral, causing $177–200M in bad debt and triggering a cascade of losses across nine DeFi protocols. Aave’s TVL dropped by ~$6B overnight. This legal analysis argues that KelpDAO and LayerZero Labs share concurrent liability, with fault apportioned 60%/40%. KelpDAO negligently configured its bridge with a 1-of-1 decentralized verifier network (DVN)—a single point of failure—despite LayerZero’s explicit recommendation of a 2-of-3 setup. LayerZero, which operated the compromised DVN, failed to secure its RPC infrastructure against a known poisoning attack vector. Both protocols’ terms of service cap liability at $200 (KelpDAO) or $50 (LayerZero), but these limits are likely unenforceable due to unconscionability, gross negligence exceptions, and potential securities law invalidation (if rsETH is deemed a security under the Howey test). Aave’s governance also faces fiduciary duty claims for raising rsETH’s loan-to-value ratio to 93%—far above competitors’ 72–75%—without adequately assessing bridge risks, amplifying the systemic fallout. Practical recovery targets include LayerZero Labs (a registered Canadian entity), KelpDAO’s founders, auditors, and identifiable Aave governance delegates. The incident underscores escalating legal risks for DeFi protocols, infrastructure providers, and governance participants.

marsbitHace 1 hora(s)

$292 Million KelpDAO Cross-Chain Bridge Hack: Who Should Foot the Bill?

marsbitHace 1 hora(s)

Trading

Spot

Futuros