Truebit Token Crashes After Protocol Confirms $26M Ethereum Exploit
Truebit’s TRU token plunged on Thursday after the protocol confirmed a serious security incident involving one of its Ethereum smart contracts. On-chain trackers estimate the attacker made off with around 8,535 ETH, worth roughly $26 million at current prices.
In a statement, Truebit said the incident involved “one or more malicious actors” and confirmed it is working with law enforcement while “taking all available measures” to respond.
Crypto investigators tracking the exploit pegged the stolen amount at 8,535 ETH, valuing the loss at about $26.6 million at the time of reporting.
For traders, the impact was immediate. Smart contract exploits rarely stay contained, and the shock quickly rippled through liquidity, market confidence, and token prices.
What Went Wrong: A Suspected Smart Contract Bug
Truebit was designed to solve one of blockchain’s biggest challenges: the high cost of on-chain computation. The protocol allows complex calculations to be handled off-chain while keeping verification on Ethereum, enabling more advanced smart contract use cases.
According to Truebit, the malicious activity was tied to its “Truebit Protocol: Purchase” contract. The team urged users to avoid interacting with the contract address until further notice.
While a full technical breakdown has yet to be released, on-chain analysts believe the exploit stemmed from a pricing logic flaw in the getPurchasePrice function. Large mint requests reportedly returned a zero cost, allowing the attacker to mint tokens for free and repeatedly sell them through a bonding curve, draining the protocol’s ETH reserves.
Stolen ETH Routed Through Tornado Cash
Transaction data suggests the attacker acted deliberately. After the drain, the stolen ETH was consolidated into a main wallet, with a significant portion routed through Tornado Cash—a step often used to obscure fund trails and one that points to planning rather than opportunism.
The market reaction was brutal. On-chain investigators reported that TRU collapsed more than 99%, with Nansen data showing the token falling to roughly $0.0000000029, down from around $0.16 before the incident.
Another Reminder of Ongoing Security Risks
The exploit comes despite a recent slowdown in reported crypto losses. PeckShield said total hack and exploit losses fell to about $76 million in December, down from $194.2 million in November—a 60% drop.
Even so, the ecosystem remains under constant pressure. December’s losses included a $50 million address poisoning attack and a $27.3 million multisig private key leak, highlighting that protocol bugs and user-targeted scams continue to pose serious risks.
