Loss Exceeding $26 Million: Analysis of Truebit Protocol Security Incident and Tracking of Stolen Funds Flow

marsbitPublished on 2026-01-09Last updated on 2026-01-09

Abstract

On January 9, the Truebit Protocol suffered an attack resulting in a loss of 8,535.36 ETH (approximately $26.4 million) due to an exploit in a five-year-old unaudited and unopen-sourced contract. The attack involved a suspected arithmetic logic flaw, possibly due to integer truncation, in an unverified function (0xa0296215). The attacker repeatedly called this function with a minimal msg.value to mint a large number of TRU tokens, which were then burned to withdraw ETH from the contract’s reserves. According to Beosin’s analysis, the stolen funds—totaling 8,535.36 ETH—were primarily transferred to two addresses: 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 (holding 4,267.09 ETH) and 0x273589ca3713e7becf42069f9fb3f0c164ce850a (holding 4,001 ETH). The attacker’s address (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) still retains 267.71 ETH. All related addresses have been flagged as high-risk by Beosin KYT. The incident underscores the importance of security audits, contract upgrades, and incorporating emergency pause mechanisms and modern Solidity safety features to mitigate risks in legacy smart contracts.

Author: Beosin

In the early hours of January 9, an unopen-sourced contract deployed by Truebit Protocol 5 years ago was attacked, resulting in a loss of 8,535.36 ETH (worth approximately $26.4 million). The Beosin security team conducted an analysis of the vulnerability and fund tracking for this security incident and shares the results as follows:

Attack Technique Analysis

For this incident, we take the most significant attack transaction as the analysis subject, with the transaction hash: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014

1. The attacker calls getPurchasePrice() to obtain the price

2. Subsequently calls the flawed function 0xa0296215(), setting the msg.value extremely low

Since the contract is not open-source, it is inferred from the decompiled code that this function has an arithmetic logic vulnerability, such as integer truncation issues, allowing the attacker to successfully mint a large number of TRU tokens.

3. The attacker "sells back" the minted tokens to the contract through the burn function, extracting a large amount of ETH from the contract reserves.

This process is repeated 4 more times, with the msg.value increasing each time, until almost all ETH in the contract is extracted.

Stolen Funds Tracking

Based on on-chain transaction data, Beosin conducted a detailed fund tracking through its blockchain on-chain investigation and tracking platform, BeosinTrace, and shares the results as follows:

Currently, the stolen 8,535.36 ETH, after transfers, are mostly held in 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 and 0x273589ca3713e7becf42069f9fb3f0c164ce850a.

Among them, address 0xd12f holds 4,267.09 ETH, and address 0x2735 holds 4,001 ETH. The address from which the attacker initiated the attack (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) still holds 267.71 ETH. There have been no further fund transfers from these three addresses yet.

Stolen Funds Flow Analysis Diagram by Beosin Trace

The above addresses have been marked as high-risk addresses by Beosin KYT. Taking the attacker's address as an example:

Beosin KYT

Conclusion

This stolen fund incident involves an unopen-sourced smart contract from 5 years ago. For such contracts, the project team should upgrade the contract, introduce emergency pause functions, parameter limitations, and new Solidity security features. Furthermore, security audits remain an essential step for contracts. Through security audits, Web3 enterprises can comprehensively detect smart contract code, identify and fix potential vulnerabilities, and enhance contract security.

*Beosin will provide a complete analysis report of all fund flows and address risks for this incident. Welcome to request it via the official email [email protected].

Related Questions

QWhat was the total amount of ETH stolen in the Truebit Protocol security incident?

A8,535.36 ETH, valued at approximately $26.4 million.

QWhich function did the attacker call to exploit the vulnerability in the unopened contract?

AThe attacker called the function 0xa0296215() with a very small msg.value to exploit an arithmetic logic vulnerability, likely due to integer truncation issues.

QHow did the attacker convert the fraudulently minted TRU tokens into ETH?

AThe attacker used the burn function to 'sell back' the minted TRU tokens to the contract, extracting a large amount of ETH from the contract reserves.

QWhat are the two main addresses where the stolen ETH is currently held?

AThe majority of the stolen ETH is held in addresses 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 (4,267.09 ETH) and 0x273589ca3713e7becf42069f9fb3f0c164ce850a (4,001 ETH).

QWhat security measures does Beosin recommend to prevent such incidents?

ABeosin recommends upgrading the contract to include emergency pause functions, parameter limits, and new Solidity security features, as well as conducting thorough security audits to detect and fix potential vulnerabilities.

Related Reads

XRP Ledger Security Debate Intensifies After BatchGate Scare

Following the near-miss incident known as BatchGate, a significant security concern has sparked a broader debate around governance and safety protocols on the XRP Ledger. Validator operator Daniel Keller criticized the existing review process as a "systemic failure" and withdrew support for all pending amendments. He emphasized that validators are governance participants, not unpaid auditors, and called for amendment proposers—particularly Ripple—to provide comprehensive documentation, testing, and security proofs. Keller also urged Ripple to increase investment in core protocol engineering and security. Other community members, like validator Vet, advocated for slower amendment rollouts, paid audits, and larger bug bounty programs. Keller disagreed with simply slowing down development, instead pushing for better incentives and resources to maintain progress without compromising security. The incident has raised fundamental questions about whether the XRPL’s amendment process has sufficient safeguards for the scale of changes being proposed. At the time of reporting, XRP was trading at $1.3566.

bitcoinist1h ago

XRP Ledger Security Debate Intensifies After BatchGate Scare

bitcoinist1h ago

Why Fundstrat’s Tom Lee expects a crypto market rally in March

Fundstrat's Tom Lee anticipates a crypto market rally in March, expecting the month to be net positive for risk assets despite recent geopolitical tensions involving Iran. He believes the worst of the sell-off has passed and projects gains led by cryptocurrencies like Bitcoin and Ethereum, as well as tech stocks (MAG7). Lee suggests this could extend into April. While some traders are positioning for a rebound, with options bets targeting Bitcoin prices of $74K–$75K in March, firms like QCP Capital remain cautious due to potential escalation risks and their impact on oil prices and inflation. The market is also weighing a potentially hawkish Fed pause in March. Historically, Bitcoin has averaged an 11.5% return in March, though outcomes are split evenly between positive and negative. At the time of writing, BTC was trading near $68K, with ETH consolidating around $1.8K–$2.0K. Options sentiment is mixed, with defensive near-term skews but longer-term calls targeting $80K–$90K.

ambcrypto1h ago

Why Fundstrat’s Tom Lee expects a crypto market rally in March

ambcrypto1h ago

ECB study warns stablecoins could shrink bank deposits and alter monetary policy transmission

A new European Central Bank (ECB) working paper warns that widespread adoption of stablecoins could significantly reduce bank deposits, constrain lending, and complicate the transmission of monetary policy in the euro area. The study identifies a "deposit substitution effect," where stablecoins compete with retail bank deposits, potentially forcing banks to rely more on volatile wholesale funding. This shift could weaken banks' lending capacity and make monetary policy less predictable, especially if U.S. dollar-denominated stablecoins gain traction, indirectly exposing the euro area to foreign monetary shocks. While current impacts are limited due to stablecoins' niche use in crypto trading, the paper cautions that large-scale adoption could structurally alter the traditional banking system.

ambcrypto1h ago

ECB study warns stablecoins could shrink bank deposits and alter monetary policy transmission

ambcrypto1h ago

Iran’s crypto market spikes 700% after strikes – Is this capital flight or…

Following U.S. and Israeli strikes in late February, Iran’s largest crypto exchange, Nobitex, saw a surge in withdrawals totaling nearly $3 million, raising questions about potential capital flight. However, analysis from TRM Labs suggests this was not mass capital flight but rather a market responding to volatility, connectivity constraints, and regulatory intervention. The Iranian government imposed a 99% internet blackout after the strikes, severely disrupting trading and causing overall transaction volumes to drop by 80%. The spike in withdrawals appears to have been an internal liquidity transfer rather than widespread panic. Despite the Rial trading at historic lows, the data indicates a controlled, state-influenced market under stress rather than uncontrolled capital flight. Crypto remains a relevant, though imperfect, hedge for Iranians amid economic and geopolitical instability.

ambcrypto2h ago

Iran’s crypto market spikes 700% after strikes – Is this capital flight or…

ambcrypto2h ago

Japan PM Dumps ‘Sanae Token?’ Solana Memecoin Tanks 75%

Japan's Prime Minister Sanae Takaichi denied any involvement with the Solana-based memecoin "Sanae Token," causing its value to plummet by 75%. The token, created by a Japanese entrepreneur, was launched during the peak of Solana's memecoin frenzy and was linked to a political project. Despite disclaimers, Takaichi's public statement led to a sharp sell-off, reducing its market cap from nearly $28 million to around $6 million. This incident highlights the extreme volatility and risks associated with celebrity or narrative-driven memecoins, which often experience rapid, significant losses after initial hype fades.

bitcoinist2h ago

Japan PM Dumps ‘Sanae Token?’ Solana Memecoin Tanks 75%

bitcoinist2h ago

Trading

Spot
Futures
活动图片

Hot Categoriesright-arrow

Hot Tagsright-arrow