- Truebit suffered an integer-overflow exploit that let an attacker mint tokens and withdraw about $26 million.
- On-chain bots quickly replicated the Truebit exploit, accelerating losses and market impact.
- Futureswap was hit twice in a month, losing about $400,000 in a recent attack and roughly $1 million in total this month.
- Several older DeFi contracts remain vulnerable; security researchers urge teams to deprecate or re-audit legacy code.
- Attackers used both a minting vulnerability and a flash-loan–powered governance exploit in recent incidents.
On Thursday, the verification-layer protocol Truebit suffered a major smart-contract exploit that let an attacker mint large amounts of TRU tokens and withdraw funds. The project warned the public not to interact with the affected contract in a post on X announcing the incident.
Security analysis shows the contract had an integer-overflow vulnerability, a coding error where arithmetic exceeds a storage limit and wraps around, allowing the attacker to “infinite mint” tokens. The attacker burned the minted TRU and withdrew 8,535 ETH, about $26 million, and the TRU price fell to zero.
The vulnerable code dated back nearly five years and the contract once held almost 44,000 ETH, according to a post on X noting its prior balance. A security researcher observing the aftermath said on X that “fuzzing bots are eating this up like piranhas.” (see the comment here). Fuzzing bots are automated scanners that probe contracts for weaknesses.
Earlier today, an apparent follow-up hit leveraged-trading platform Futureswap on Arbitrum. Alerts from on-chain monitors noted the unverified contract lost just over $400,000 in the latest incident, bringing the month’s total losses to about $1 million, as flagged in a report on X by Defimon Alerts.
Futureswap was also targeted in December by a governance attack that used tokens borrowed via a flash loan — a short-term loan that must be repaid within one transaction — to pass a malicious proposal. That earlier attack was detailed on X here, with estimated losses of at least $550,000 noted here.
Pseudonymous ex-Yearn security researcher storming0x urged teams to act, recommending they “either deprecate/sunset or reaudit” legacy contracts, “implement preventive actions”, and telling users to “withdraw from old contracts.” Their full comments are on X here and here. They warned, “It’s going to keep happening.”
Several projects that were prominent during the 2020–2022 DeFi boom — including Ribbon Finance, Rari Capital and Yearn — had contracts targeted in December, prompting speculation that attackers are reassessing older code. The recent cases underline calls for teams to audit or retire outdated contracts to protect users.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Trump to Interview BlackRock’s Rick Rieder for Fed Seat Now!
- NYSE Seeks 22-Hour Trading as Robinhood Pushes 24/7 Markets.
- Strategy buys BTC, but BTC per share falls amid dilution now
- Bakkt to buy Distributed Technologies for $178M in stock deal
- Alphabet’s Gemini to Power Apple Intelligence; Stocks Jump!!
