The Truebit Protocol lost roughly $26M after an attacker exploited a legacy smart contract to mint an effectively unlimited supply of TRU tokens and drain liquidity. The breach moved about 8,535 ETH and sent the native TRU token to near-zero levels within hours.
According to on-chain analysis and contemporaneous reporting, the attacker triggered what reports described as an “infinite mint” function in a legacy contract. The flaw—an integer overflow exacerbated by the absence of native overflow checks in that Solidity version—allowed creation of TRU at negligible cost.
With a flooded token supply, the attacker drained protocol liquidity and converted balances out of the ecosystem; the funds were then moved in a way that obscured their trail.
The incident highlighted a silent integer-overflow vulnerability in a contract compiled with Solidity 0.6.10 and deployed in 2021, a shortfall that went undetected amid insufficient ongoing audits.
The breach underscores the risk legacy contracts pose to DeFi liquidity. Even protocols that launched years earlier remain vulnerable if they rely on older compiler versions and lack continuous third-party review. The immediate market effect was severe: TRU’s market capitalization collapsed and pools suffered sharp outflows, worsening price discovery and liquidity for holders and counterparties.
How the Truebit exploit unfolded
Security practitioners emphasized the structural lesson: ongoing audits and proactive code hardening are integral to platform resilience. “The exploit serves as a potent reminder of the fragility of DeFi protocols reliant on legacy smart contracts,” said analysts covering the incident.
From a compliance angle, the rapid laundering of proceeds complicates recovery and increases pressure on exchanges and on‑chain analytics providers to trace and freeze tainted assets. For institutional participants, the episode raises questions about custody exposures, counterparty risk and the adequacy of due diligence on tokenized assets tied to older codebases.
Investors and product teams are now watching Truebit’s remediation steps and any independent audit updates; those actions will determine whether governance and security processes can restore liquidity and market confidence.
