In January 2026, Truebit experienced a hack against its TRU purchase/minting smart contract. The attacker was able to mint TRU tokens at negligible cost, then sell them back to a bonding-curve pool for an estimated $26 million in profit.
Inside the Attack
The Truebit hacker took advantage of a five-year-old smart contract within the Truebit ecosystem. The contract was closed-source, concealing the program code and the functionality that it contains.
The attacker exploited a mathematical vulnerability in the smart contract’s pricing of the TRU token, which set its value very close to zero. When the attacker performed an extremely large mint request with a carefully selected msg.value, the returned value of the TRU token was incorrect. These mints involve calling getPurchasePrice, which calls another function with a low msg.value. Due to the closed-source nature of the contract, the exact vulnerability in this function is difficult to determine.
With access to a low-cost source of TRU tokens, the attacker was able to drain value from the contract by selling them back to the contract at full price. The attacker performed a series of high-value mint requests that netted them a large amount of TRU tokens at negligible cost. Each request had a carefully selected msg.value (and increasing) designed to ensure that the smart contract remained in a state where it would report incorrect TRU values.
After accumulating TRU tokens, they could burn these tokens to extract ETH from the smart contract. In total, an estimated 8,535 ETH was stolen for a total loss of approximately $26 million.
The attacker also took advantage of the incentive structure of block creation, paying a small bribe to have their transactions prioritized and protected against potential interference or frontrunning. This helped to ensure that they could continue to force the contract into the desired state and prevent recovery efforts by the TRU team.
Lessons Learned from the Attack
The attacker targeted a legacy, vulnerable smart contract that was never updated or replaced despite holding significant ETH reserves. As a result, an attacker was able to explore the functionality of the closed-source smart contract and identify an exploitable vulnerability for a significant profit.
This incident demonstrates the importance of smart contract audits and regular review and monitoring of deployed code for unusual activity. To learn more about protecting your smart contracts against potential attack, get in touch.