On January 9, 2026, Truebit disclosed a severe security incident in which a vulnerability in its smart contract was exploited to siphon off about 8,535 ETH, valued at roughly $26.6 million at the time of the breach. The exploit targeted the protocol’s pricing logic in the getPurchasePrice function, enabling the attacker to mint TRU tokens at zero cost and convert them back into ETH through a bonding curve mechanism, depleting the contract’s reserves in a rapid buy-sell cycle.
Truebit’s official channels confirmed the incident in a post on X: “Today, we became aware of a security incident involving one or more malicious actors. The affected smart contract is 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2 and we strongly advise the public not to interact with this contract until further notice. We are in contact with law enforcement.”
On-chain analysis from blockchain sleuths such as Lookonchain revealed that the total amount drained exceeded the initially flagged balance, indicating that multiple transactions were used to mask the full scope of the theft. PeckShield data confirmed that most of the stolen ETH was consolidated into a single address before portions were routed through Tornado Cash to obfuscate the trail. The attacker also executed a secondary drain of TRU tokens worth approximately $300,000.
Market reaction was immediate and severe. According to Nansen data, TRU’s price plummeted from near $0.16 to a fraction of a cent, effectively wiping out almost all market value in under 24 hours. Trading volume spiked as panic selling ensued, with many holders unable to offload positions at any price.
This breach marks one of the largest DeFi exploits of early 2026, following significant incidents in late 2025 such as Flow’s counterfeit token exploit and the Trust Wallet Chrome extension hack. Despite a broader decline in total hack losses—from $194 million in November 2025 to $76 million in December—high-profile hacks continue to underscore persistent vulnerabilities in smart contract code and the need for rigorous security audits.
Truebit’s development team has paused all related contracts, initiated an internal investigation, and engaged third-party forensic experts to conduct a full technical post-mortem. Efforts to negotiate a partial recovery of the stolen funds are ongoing, though the decentralized nature of the breach and use of privacy mixers complicate tracing and retrieval. Meanwhile, users and developers are reassessing risk management practices for DeFi protocols, emphasizing the importance of formal audits, bug bounty programs, and timelocked upgrade mechanisms to mitigate future exploits.
Comments (0)