**Truebit Exploit Exposes Smart Contract Flaw Behind $26M Token Mint**
The Truebit protocol, a decentralized offline computation platform, has suffered a significant loss of $26 million due to a critical vulnerability in its smart contract logic. The exploit allowed an attacker to mint tokens at nearly zero cost, resulting in a 99% crash for the Truebit (TRU) token.
According to a post-mortem analysis published by blockchain security company SlowMist, the attacker took advantage of a loophole in the protocol's smart-contract logic. This flaw enabled them to mint "massive amounts of tokens without paying any ETH," the report revealed.
The issue was caused by a lack of overflow protection in an integer addition operation within the Purchase contract of the Truebit Protocol. When calculating the amount of ETH required to mint TRU tokens, the contract's price calculations were erroneously reduced to zero. This allowed the attacker to drain the contract's reserves by minting $26 million worth of tokens "at nearly no cost," the post-mortem analysis said.
The exploit highlights a persistent security risk in blockchain projects, even those with a long history like Truebit. Launched on the Ethereum mainnet almost five years ago in April 2021, Truebit is one of the established protocols that have been compromised by hackers. The incident serves as a reminder that no project is completely immune to security threats.
Smart-contract security has attracted attention recently, with an Anthropic study revealing that commercially available artificial intelligence (AI) agents had found $4.6 million worth of smart contract exploits last year. This raises concerns about the potential for AI-powered hacking tools to be used by malicious actors in the future.
The exploit also underscores the importance of regular security audits and testing to identify vulnerabilities before they can be exploited by attackers. In this case, the Truebit protocol's lack of overflow protection in its smart contract logic proved to be a critical flaw that was waiting to be exploited.
**Smart-Contract Bugs: The Largest Attack Vector of 2025**
According to SlowMist's year-end report, smart-contract vulnerabilities were the largest attack vector for the cryptocurrency industry in 2025. Contract vulnerabilities accounted for 30.5% of all crypto exploits, while hacked X accounts and private key leaks ranked second and third, respectively.
Crypto phishing scams emerged as the second-largest threat of 2025, with a cumulative loss of $722 million across 248 incidents. While this number is lower than the $1 billion stolen through phishing scams in 2024, it still highlights the importance of remaining vigilant against social engineering schemes that don't require hacking code.
The Truebit exploit serves as a wake-up call for projects to prioritize smart-contract security and regular testing to prevent similar incidents from occurring in the future. As the cryptocurrency industry continues to grow and evolve, security threats will likely become more sophisticated, making it essential for projects to stay ahead of the curve and protect their users' assets.
**Sources:**
- Cointelegraph: Truebit loses $26 million in exploit, TRU price crashes 99%
- SlowMist Post-Mortem Analysis: Truebit Exploit Report
- Anthropic Research Paper: Smart Contract Security and AI-Powered Hacking Tools
- CertiK Year-End Report: Crypto Phishing Scams Emerge as Second-Largest Threat in 2025