Truebit Protocol Drained of $26M in ‘Archeological’ Smart Contract Exploit
A legacy integer overflow bug in Solidity 0.6.10 allowed an attacker to mint free tokens and drain 8,535 ETH, sending TRU to zero.
Ethereum verification protocol Truebit has effectively collapsed after a critical integer overflow vulnerability allowed an attacker to drain 8,535 ETH ($26.4 million) from its primary treasury. The exploit, rooted in five-year-old code, triggered a catastrophic 99% erasure of the native TRU token’s value, which plummeted from $0.16 to fractions of a penny ($0.00007) within hours.
The Receipt: A Math Error from 2021
The vector was not a new zero-day, but a legacy failure in Solidity version 0.6.10. According to a post-mortem by SlowMist, the protocol’s Purchase contract lacked modern overflow protection (SafeMath).
In Solidity versions prior to 0.8.0, arithmetic operations do not automatically revert when they hit the maximum value of a 256-bit integer. The attacker exploited this by inputting a precisely calculated minting volume. This forced the variable storing the ETH cost to wrap around the integer limit, resetting the price to effectively zero.
The attacker invoked the minting function… passing in the token amount. Since the required ETH price was calculated as zero, the attacker paid no ETH and successfully minted [trillions of] TRU tokens. SlowMist Security Team
The attacker then dumped the free tokens back into the protocol’s bonding curve, draining the ETH reserves in a single block. The exploited contract was deployed in 2021 and had apparently gone unmonitored for upgrades despite known risks in legacy Solidity syntax.
The Aftermath: Laundering and Liquidity Death
On-chain data confirms the attacker moved swiftly to obscure the paper trail. Approximately 50% of the stolen 8,535 ETH was immediately funneled through Tornado Cash, the sanctioned privacy mixer, complicating recovery efforts. The Truebit team confirmed the breach on X, urging users to revoke permissions, though for the treasury, the warning came too late.
This incident underscores a growing sector-wide threat: "Zombie Contracts." As protocols age, immutable smart contracts deployed during the 2020-2021 DeFi summer are becoming sitting ducks for sophisticated searchers looking for unpatched legacy bugs. Unlike modern contracts protected by audits and newer compiler safeguards, these dormant contracts effectively hold bounties that only expire when they are drained.
TRU remains illiquid and un-tradeable on major venues as market makers pulled liquidity to avoid absorbing the exploiter’s dump.
