The $26M Legacy Hangover: Truebit’s Zombie Contract Eats Itself

The Scene¶

Thursday, January 8, 2026. 16:00 London Time.
The mempool was relatively quiet. Most eyes were on the new Layer 3 scaling wars, but deep in the Ethereum mainnet, a bot was poking around a relic. The Truebit protocol, a verification layer that’s been around since the early days, had a “Purchase” contract deployed years ago. It was sitting there, unverified on Etherscan, gathering digital dust.

Then, the alarm bells shattered the silence.

PeckShieldAlert on X (formerly Twitter) fired the first warning shot. The chain data was ugly: a massive outflow of ETH from Truebit’s reserves. No slow drain, no test transactions. Just a sudden, violent hemorrhage. By the time the devs scrambled to their keyboards, the damage was already done. 8,535 ETH—worth ~$26.5 million—was sitting in the attacker’s wallet, and the native token (TRU) was nose-diving to zero.

The Anatomy¶

This wasn’t a “sophisticated state-sponsored attack.” This was basic arithmetic gone wrong.

The exploit targeted a legacy contract (Address: 0x764C...02EF2) compiled with Solidity 0.6.10. For the new bloods reading this: Solidity versions prior to 0.8.0 did not automatically check for integer overflows. You had to use OpenZeppelin’s SafeMath library.

Truebit used SafeMath in most places. But they missed one spot.

The Crime Scene Tape:
The vulnerability lay in the getPurchasePrice function. The attacker crafted an input amount so astronomically high that when the contract tried to calculate the cost, the number exceeded the 256-bit storage limit. Instead of reverting, the number wrapped around—like an odometer rolling from 999,999 back to 0.

Here’s the logic that killed the protocol (simplified for clarity):

// IMPACT: CRITICAL
// VERSION: Solidity 0.6.10 (No built-in overflow protection)

function getPurchasePrice(uint256 amount) public view returns (uint256) {
    // The fatal flaw: Unchecked multiplication/addition
    // If 'amount' is massive, 'cost' overflows and wraps to near-zero
    uint256 cost = amount * currentPrice; 
    return cost; 
}

function buyTRU(uint256 amount) public payable {
    uint256 cost = getPurchasePrice(amount);
    require(msg.value >= cost, "Not enough ETH"); // PASSES because cost is 0

    _mint(msg.sender, amount); // Mints millions of TRU for free
}

The attacker called buyTRU with this overflowed input, paying dust (wei) to mint millions of TRU tokens. Then, they simply turned around and called sellTRU, dumping the free tokens back into the bonding curve for real ETH.

They rinsed and repeated this cycle in a single atomic transaction. The protocol’s reserves were drained before the next block was even proposed.

The Fallout¶

Chaos. Absolute chaos.

The TRU token didn’t just dip; it evaporated. The price crashed 99% instantly, wiping out liquidity providers and holders who had nothing to do with the legacy contract. The attacker, operating from address 0x6c8e...2b50, didn’t waste time. They split the loot between two wallets (0x2735...cE850a and 0xD12f...031a6) and immediately started washing it through Tornado Cash.

Corporate PR tried to stabilize the narrative. Truebit’s team acknowledged the “security incident” and advised users to stop interacting with the contract. Classic war room panic. But let’s be real: telling users to avoid a contract after the vault is empty is like telling passengers to buckle up after the plane has crashed.

The “insult to injury”? The attacker paid a builder bribe to get their transaction prioritized. They literally paid the network to help them rob it faster.

The Lesson¶

If you are a dev and you still have contracts running on Solidity 0.6.x without SafeMath plastered on every line, you are sitting on a ticking time bomb.

This $26M loss wasn’t about “innovation risk.” It was technical debt. Protocols love to launch new features but hate auditing their basements. The Truebit contract was five years old. In crypto years, that’s the Jurassic period.

Don’t be this guy:
1. Audit your legacy code. If it’s live, it’s a target.
2. Migrate. Why is 2021 code holding 2026 liquidity?
3. Verify your contracts. The fact this contract was unverified on Etherscan made it harder for whitehats to spot, but clearly, the blackhats didn’t mind decompiling the bytecode.

Another day, another eight figures donated to the “School of Hard Knocks.” Drink your coffee and check your overflow flags.