Truebit Protocol security incident analysis and traceability of stolen funds, resulting in losses exceeding $26 million.

On January 9th, the Truebit Protocol suffered a major security breach, losing 8,535.36 ETH (worth approximately $26.4 million) from a five-year-old, closed-source smart contract.

  • Attack Method: The attacker exploited an arithmetic logic vulnerability (likely an integer truncation issue) in a flawed contract function. By calling this function with a minimal msg.value, they were able to mint a large number of TRU tokens illegitimately. These tokens were then "sold back" to the contract via its burn function, draining nearly all the ETH reserves in a series of transactions.
  • Funds Tracking: The stolen ETH, totaling over $26 million, has been traced to three primary addresses. The majority is held in two high-risk wallets (0xd12f... and 0x2735...), with a smaller amount remaining in the attacker's initial address. No further transfers from these addresses have been detected at this time.
  • Key Takeaways: This incident highlights the critical risks of maintaining outdated, unaudited, and closed-source contracts. The report emphasizes that project teams must upgrade old contracts with emergency pause functions, parameter limits, and modern security features, and underscores that regular professional security audits are essential for preventing such exploits.
Summary

Author: Beosin

In the early hours of January 9th, a closed-source contract deployed by Truebit Protocol five years prior was attacked, resulting in a loss of 8,535.36 ETH (worth approximately $26.4 million). The Beosin security team conducted a vulnerability and fund tracking analysis of this security incident and shares the results below:

Attack Method Analysis

We will analyze the most significant attack transaction in this incident, with the transaction hash: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014

1. The attacker calls getPurchasePrice() to obtain the price.

2. Subsequently, the flawed function 0xa0296215() is called, and the msg.value is set to an extremely small value.

Since the contract is not open source, it is inferred from the decompiled code that the function has an arithmetic logic vulnerability, such as a problem with integer truncation, which allowed the attacker to successfully mint a large number of TRU tokens.

3. The attacker used the burn function to "sell back" the minted tokens to the contract, extracting a large amount of ETH from the contract's reserves.

This process is repeated four more times, with the msg.value increasing each time, until almost all the ETH in the contract has been extracted.

Stolen Funds Tracking

Based on on-chain transaction data, Beosin conducted a detailed fund tracking through its blockchain on-chain investigation and tracking platform, BeosinTrace, and shared the results as follows:

Currently, the stolen 8,535.36 ETH has been transferred, with the vast majority stored at 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 and 0x273589ca3713e7becf42069f9fb3f0c164ce850a.

Address 0xd12f holds 4,267.09 ETH, and address 0x2735 holds 4,001 ETH. The address from which the attacker launched the attack (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) still holds 267.71 ETH. No further fund transfers have been made from these three addresses. 

 Analysis chart of stolen funds flow by Beosin Trace

All the addresses listed above have been flagged as high-risk by Beosin KYT. For example, consider the attacker's address: 

 Beosin KYT

Conclusion

The stolen funds involved smart contracts that were not open-sourced five years ago. For such contracts, project teams should upgrade them, introducing emergency pauses, parameter restrictions, and the security features of the latest Solidity versions. Furthermore, security auditing remains an essential part of contract management. Through security audits, Web3 companies can comprehensively examine smart contract code, identify and fix potential vulnerabilities, and improve contract security.

*Beosin will provide a complete analysis report on all fund flows and address risks. You are welcome to request it via the official email address support@beosin.com.

Share to:

Author: Beosin

This article represents the views of PANews columnist and does not represent PANews' position or legal liability.

The article and opinions do not constitute investment advice

Image source: Beosin. Please contact the author for removal if there is infringement.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
14 hour ago
2026-01-09 10:30
2026-01-09 04:36
2026-01-09 04:05
2026-01-08 07:36
2026-01-08 07:32
Related Topics
25 articles

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe

Curated Series

App内阅读