Loss exceeds $26 million: Truebit Protocol security incident analysis and stolen funds flow tracking

MarsBitNews · 2026-01-09T10:54:32+00:00

On January 9th, the non-open-source contracts of Truebit Protocol were attacked, resulting in a loss of 8,535.36 ETH. The attacker exploited contract vulnerabilities to mint TRU tokens and extract a large amount of ETH. After analysis, the Beosin team traced the stolen funds, which are currently stored in two high-risk addresses. It is recommended that the project team upgrade and conduct security audits on the non-open-source contracts to prevent similar incidents.

MarsBitNews

2026-01-09 10:54:32

Abstract generation in progress

null

Author: Beosin

In the early hours of January 9th, the unopensource contract deployed five years ago by Truebit Protocol was attacked, resulting in a loss of 8,535.36 ETH (approximately $26.4 million). Beosin’s security team conducted vulnerability and fund tracking analysis of this security incident and shares the findings below:

Analysis of Attack Methods

For this incident, we focus on the main attack transaction, with transaction hash: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014

The attacker calls getPurchasePrice() to obtain the price
Then, they invoke the flawed function 0xa0296215(), setting msg.value to a very small amount

Since the contract is not open source, we infer from decompiled code that this function contains an arithmetic logic vulnerability, such as integer truncation issues, which allowed the attacker to successfully mint a large amount of TRU tokens.

The attacker uses the burn function to “sell back” the minted tokens to the contract, extracting a large amount of ETH from the contract’s reserves.

This process is repeated 4 times, each time increasing msg.value, until nearly all ETH in the contract is drained.

Funds Theft Tracking

Based on on-chain transaction data, Beosin conducted detailed fund tracking through its blockchain investigation and tracking platform BeosinTrace, and shares the results below:

Currently, the stolen 8,535.36 ETH has been transferred and mostly stored in addresses 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 and 0x273589ca3713e7becf42069f9fb3f0c164ce850a.

Address 0xd12f holds 4,267.09 ETH, and address 0x2735 holds 4,001 ETH. The attacker’s address (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) still has 267.71 ETH, and no further fund transfers have been observed from these three addresses.

Fund Flow Analysis Map of Stolen Funds by Beosin Trace

All these addresses have been marked as high-risk addresses by Beosin KYT. Taking the attacker’s address as an example:

Beosin KYT

Conclusion

The stolen funds involve a smart contract that was not open source five years ago. For such contracts, project teams should upgrade the contract, introduce emergency pause functions, parameter restrictions, and adopt new Solidity security features. Additionally, security audits remain an essential part of the process. Through security audits, Web3 enterprises can comprehensively detect potential vulnerabilities in smart contract code, identify and fix issues, and enhance contract security.

*Beosin will provide a complete analysis report of all fund flows and address risks related to this incident. Interested parties can request it via the official email support@beosin.com.

ETH-0,48%

TRU2,7%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.