On January 8, 2026, the Truebit Protocol was hacked, resulting in a loss of 8,535.36 ETH (approximately $26.44 million). The Truebit Protocol team officially confirmed the incident in a post the following morning. The ExVul security team conducted a detailed vulnerability analysis of this attack, and the findings are as follows:
Attack Process
Attacker's Address:
0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50
Attack transaction hash:
0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014
The attacker completed the attack by invoking a transaction that cycles through four rounds of calling getPurchasePrice → 0xa0296215 → 0xc471b10b. We will analyze the first loop as an example.
1. The attacker first calls the getPurchasePrice(240442509453545333947284131) function, which returns 0.
2. The attacker calls the function 0xa0296215(c6e3ae8e2cbab1298abaa3) with msg.value set to 0. Ultimately, they successfully mint 240,442,509,453,545,333,947,284,131 TRU tokens.
3. The attacker calls the 0xc471b10b(c6e3ae8e2cbab1298abaa3) function. Finally, 24,044,250,945,354,533,394,728,4131 TRU tokens are destroyed, and 5105.06 ETH are obtained.
Attack Logic Analysis
By understanding the above attack process, it is evident that there are logical issues in the `getPurchasePrice` function and the `0xa0296215` function. The following section will delve deeper into the analysis (since the contract is not open-source, the code below is decompiled).
By comparing the common points of the two functions, we can find that the 0x1446 function is used to calculate how much ETH is needed to purchase a specified amount of TRU. Obviously, there is a logical problem in the 0x1446 function, leading to incorrect ETH calculations. Below is a detailed analysis of the logic in the 0x1446 function.
Observe the logic in the function at 0x1446. Since the final calculation result is v13 == 0, there must be an issue with the calculation logic above. It should be noted that the function at 0x18ef has the same functionality as _SafeMul. Therefore, the problem lies in the use of the native addition operation v12 + v9 (the contract version is ^0.6.10, which does not include overflow checks).
v12 and v9 respectively indicate:
From the above analysis, the attacker's strategy is to input an extremely large _amountIn, causing v12 + v9 to overflow into a very small value, ultimately making (v12 + v9) / v6 == 0.
Summary
The root cause of the recent attack on the Truebit Protocol lies in a severe integer overflow vulnerability in its token purchase price calculation logic. The contract used Solidity ^0.6.10 and did not include safety checks for critical arithmetic operations, ultimately resulting in a significant loss of 8,535.36 ETH. Newer versions of Solidity have already mitigated overflow vulnerabilities. This attack was likely discovered by hackers using AI to automatically scan older, already-deployed DeFi protocols for vulnerabilities (such as the recent Balancer and yETH attacks). We believe such AI-driven attacks targeting older DeFi protocols will increase in the near future. Therefore, we recommend that project teams conduct new security audits of their smart contracts. If vulnerabilities are found, they should upgrade the contracts or transfer assets as soon as possible and implement on-chain monitoring to detect anomalies promptly, minimizing potential losses.