Verify a decision

{"actor":"system:backfill","investigation_id":"19a3fa1c-c5f0-4541-8433-c1d8a05d9807","kind":"publish","page_slug":"truebit-oracle-exploit-january-2026","published_at":"2026-06-08T01:22:14.544Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"TrueBit Oracle Exploit (January 2026)","sections":[{"content":"Two distinct projects use the 'Truebit' name, and their relationship requires clarification. The original Truebit was a scalable verification and off-chain computation oracle protocol founded by mathematician Jason Teutsch and co-authored with Solidity creator Christian Reitwiessner; it was designed to allow Ethereum smart contracts to outsource complex computations. The project operating under Truebit.io at the time of the January 2026 exploit describes itself as 'Truebit Verify,' a verification layer for tokenized assets offering dynamic oracles, cross-chain orchestration, and compliance automation. Whether the exploited token-sale contract was part of the original protocol, a successor, or a separate project using the same branding is not definitively established in available reporting. Multiple Tier 2 sources treat them as a single continuous entity under the TRU ticker; no source has reported an official clarification from the project team on this point. The exploit targeted a specific Purchase contract holding ETH liquidity for the TRU native token, not a broad oracle infrastructure contract.","heading":"Entity Disambiguation","severity":"medium","sources":[{"credibility":2,"name":"Truebit.io — official site describing Truebit Verify product","type":"official","url":"https://truebit.io/"},{"credibility":1,"name":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","type":"news_article","url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"}]},{"content":"The vulnerability resided in a function named getPurchasePrice(uint256 amount) within the Truebit Protocol Purchase contract (address: 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2), deployed approximately in 2021 and compiled with Solidity v0.5.3. That compiler version predates the automatic overflow-protection introduced in Solidity 0.8.x, and the contract did not apply the SafeMath library to all arithmetic operations — specifically, one addition in the pricing function was left unguarded. When an attacker supplied an astronomically large token-amount argument, the addition wrapped around the uint256 maximum value to produce a near-zero cost output. The attacker deployed a dedicated attack contract (0x1de399967b206e446b4e9aeeb3cb0a0991bf11b8) and executed the exploit in a single atomic transaction (hash: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014). The attack cycled through five iterations: call getPurchasePrice with a crafted large amount to obtain a near-zero price, mint billions of TRU tokens, transfer tokens to the Purchase contract, burn them at the protocol's 12.5% buyback rate to redeem ETH, and repeat. The exploit function was explicitly labeled 'Attack' in the transaction call data. The attacker also paid a small builder bribe to ensure transaction priority and prevent interference. The source code of the contract was never verified on Etherscan, making the vulnerability detectable only through bytecode decompilation.","heading":"Exploit Mechanism: Integer Overflow in Purchase Contract","severity":"critical","sources":[{"credibility":2,"name":"Rekt News: Truebit — Rekt (primary technical post-mortem)","type":"research","url":"https://rekt.news/truebit-rekt"},{"credibility":2,"name":"DL News: Truebit hit by $26m exploit as attackers increasingly target older DeFi protocols","type":"news_article","url":"https://www.dlnews.com/articles/defi/truebit-hit-by-exploit-as-attackers-increasingly-target-older-defi-protocols/"},{"credibility":1,"name":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","type":"news_article","url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"},{"credibility":2,"name":"Halborn: Explained — The Truebit Hack (January 2026)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-truebit-hack-january-2026"},{"credibility":1,"name":"CoinTelegraph: $26M Truebit Hack Was Smart Contract Exploit: Analysis","type":"news_article","url":"https://cointelegraph.com/news/26m-truebit-hack-smart-contract-vulnerability"}]},{"content":"The primary attacker drained 8,535 ETH from the Purchase contract, valued at approximately $26.2–26.6 million at the time of the exploit. A secondary opportunistic attacker (wallet: 0xc0454E545a7A715c6D3627f77bEd376a05182FBc) extracted an additional approximately $250,000–$253,000 in ETH after the primary exploit opened the vulnerability. Total reported losses across both actors range from approximately $26.4 million to $26.6 million across different sources, the variation reflecting ETH price fluctuations in the hours surrounding the attack. The TRU token price collapsed approximately 99.9% within 24 hours of the exploit, falling from approximately $0.1659 to as low as $0.0000000029 according to CoinGecko data cited by multiple outlets. CoinGecko flagged the project with an exploit warning. Virtually all market capitalization was wiped out, and liquidity evaporated as holders rushed to exit.","heading":"Financial Impact and Token Collapse","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","type":"news_article","url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"},{"credibility":2,"name":"Rekt News: Truebit — Rekt","type":"research","url":"https://rekt.news/truebit-rekt"},{"credibility":2,"name":"The Defiant: Truebit Hack Wipes Out TRU in First Major Exploit of 2026","type":"news_article","url":"https://thedefiant.io/news/hacks/truebit-hack-first-major-crypto-exploit-of-2026"},{"credibility":2,"name":"Yahoo Finance / DL News: Truebit hit by $26m exploit","type":"news_article","url":"https://finance.yahoo.com/news/truebit-hit-26m-exploit-attackers-170618082.html"}]},{"content":"The primary attacker operated from wallet address 0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50, funded via the Across Protocol cross-chain bridge on December 6, 2025, indicating at least a one-month preparation period. The attack contract was deployed at 0x1de399967b206e446b4e9aeeb3cb0a0991bf11b8. Following the exploit, stolen funds were routed through at least four intermediate laundering wallets (0x273589ca3713e7becf42069f9fb3f0c164ce850a, 0x3b58192943ee6f9ae92d54dd1ef378cfd519862a, 0x62afdd1bd84f6b152572404be90679ae58eb4862, 0xD12f6E0fa7FBF4e3A1c7996E3F0Dd26AB9031a60) before being deposited into Tornado Cash (router: 0xD841C52B68c5dB133078ABa039bd9EAF19b0b135). On-chain tracker Lookonchain reported that all 8,535 ETH had been laundered through Tornado Cash by approximately January 10–11, 2026. PeckShield linked the primary attacker address to a prior exploit of Sparkle Protocol approximately 12 days before the Truebit attack, in which the same individual allegedly used a similar token-minting overflow technique to extract approximately 5 ETH. This connection, if accurate, suggests a skilled threat actor actively scanning legacy DeFi contracts for unguarded arithmetic. The secondary attacker (0xc0454E545a7A715c6D3627f77bEd376a05182FBc) is described by Rekt.news as an opportunistic copycat who exploited the same open vulnerability after the primary attack had already occurred.","heading":"Attacker Identities and Fund Flow","severity":"critical","sources":[{"credibility":2,"name":"Rekt News: Truebit — Rekt","type":"research","url":"https://rekt.news/truebit-rekt"},{"credibility":2,"name":"Blockchain.news Flash: Truebitprotocol Exploiter Moves 8.5K ETH Into Tornado Cash","type":"on_chain","url":"https://blockchain.news/flashnews/truebitprotocol-exploiter-moves-8-5k-eth-26-5m-into-tornado-cash"},{"credibility":2,"name":"Crypto Briefing: Truebit hacker launders $26 million in ETH via Tornado Cash","type":"news_article","url":"https://cryptobriefing.com/truebit-hacker-launders-eth-via-tornado-cash/"},{"credibility":1,"name":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","type":"news_article","url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"}]},{"content":"Multiple independent security analyses identified compounding risk factors that enabled the exploit. First, the Purchase contract was deployed circa 2021 using Solidity v0.5.3, a compiler version that does not include automatic overflow protection; the SafeMath library was applied to multiplication and division operations but at least one addition operation was left unguarded. Second, the contract's source code was never verified on Etherscan, making the vulnerability invisible to standard public review and preventing automated security scanners from detecting it without bytecode decompilation. Third, there is no public record of any third-party security audit ever having been conducted on the contract. Fourth, the contract remained active and held significant ETH reserves for approximately five years without modification or replacement, despite the existence of known best practices for overflow protection. The Halborn security firm and DL News both noted a broader pattern of attackers in 2025–2026 targeting legacy DeFi contracts from 2020–2021 vintage that lack active maintenance, audit coverage, and compiler-level protections.","heading":"Security Failures and Audit History","severity":"high","sources":[{"credibility":2,"name":"Halborn: Explained — The Truebit Hack (January 2026)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-truebit-hack-january-2026"},{"credibility":2,"name":"DL News: Truebit hit by $26m exploit as attackers increasingly target older DeFi protocols","type":"news_article","url":"https://www.dlnews.com/articles/defi/truebit-hit-by-exploit-as-attackers-increasingly-target-older-defi-protocols/"},{"credibility":2,"name":"Rekt News: Truebit — Rekt","type":"research","url":"https://rekt.news/truebit-rekt"},{"credibility":2,"name":"FinanceFeeds: Overflow Error Blamed for Massive $26M Truebit Smart Contract Exploit","type":"news_article","url":"https://financefeeds.com/overflow-error-blamed-for-massive-26m-truebit-smart-contract-exploit/"}]},{"content":"Truebit's official response, issued approximately two hours after the exploit was detected, was a brief statement acknowledging 'a security incident involving one or more malicious actors' and advising users not to interact with the affected contract. The team stated it was 'in contact with law enforcement' and had 'engaged additional resources to strengthen tracing and recovery.' No detailed technical post-mortem had been published as of reporting by multiple outlets in January 2026. No official statement addressed the audit history, Solidity version, or specific steps taken to prevent similar incidents. Because all 8,535 ETH was fully laundered through Tornado Cash by January 11, 2026, the probability of on-chain asset recovery is considered extremely low. No sources through the date of this investigation report that any funds have been recovered. The team's communication was characterized by multiple outlets as minimal and lacking in technical specifics.","heading":"Team Response and Recovery Status","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","type":"news_article","url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"},{"credibility":2,"name":"Crypto Briefing: Truebit hacker launders $26 million in ETH via Tornado Cash","type":"news_article","url":"https://cryptobriefing.com/truebit-hacker-launders-eth-via-tornado-cash/"},{"credibility":2,"name":"Rekt News: Truebit — Rekt","type":"research","url":"https://rekt.news/truebit-rekt"}]},{"content":"The Truebit exploit was described by multiple analysts as the first major DeFi hack of 2026 and as illustrative of a broader pattern of threat actors targeting old, unmaintained smart contracts. DL News and Halborn both noted that protocols from the 2020–2021 DeFi boom often deployed contracts under Solidity versions without automatic overflow protection and without requiring audits, which were less common norms at the time. A number of these contracts remain active with real liquidity years after deployment, creating an inventory of potential targets. PeckShield's attribution linking the Truebit attacker to the earlier Sparkle Protocol attack — which used a similar overflow-based minting technique — reinforces this picture of a methodical actor exploiting a repeatable vulnerability class across multiple protocol targets. CCN's 2026 DeFi hacks roundup listed Truebit among multiple nine-figure-aggregate losses in the first half of 2026.","heading":"Broader Context: Legacy Contract Risk Pattern","severity":"medium","sources":[{"credibility":2,"name":"DL News: Truebit hit by $26m exploit as attackers increasingly target older DeFi protocols","type":"news_article","url":"https://www.dlnews.com/articles/defi/truebit-hit-by-exploit-as-attackers-increasingly-target-older-defi-protocols/"},{"credibility":2,"name":"CCN: Biggest DeFi Hacks and Exploits of 2026","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-exploits-causes-crypto-stolen-2026/"},{"credibility":1,"name":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","type":"news_article","url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"}]}],"sources_used":[{"credibility":2,"name":"Rekt News: Truebit — Rekt","type":"research","url":"https://rekt.news/truebit-rekt"},{"credibility":1,"name":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","type":"news_article","url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"},{"credibility":2,"name":"DL News: Truebit hit by $26m exploit as attackers increasingly target older DeFi protocols","type":"news_article","url":"https://www.dlnews.com/articles/defi/truebit-hit-by-exploit-as-attackers-increasingly-target-older-defi-protocols/"},{"credibility":2,"name":"Halborn: Explained — The Truebit Hack (January 2026)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-truebit-hack-january-2026"},{"credibility":1,"name":"CoinTelegraph: $26M Truebit Hack Was Smart Contract Exploit: Analysis","type":"news_article","url":"https://cointelegraph.com/news/26m-truebit-hack-smart-contract-vulnerability"},{"credibility":2,"name":"The Defiant: Truebit Hack Wipes Out TRU in First Major Exploit of 2026","type":"news_article","url":"https://thedefiant.io/news/hacks/truebit-hack-first-major-crypto-exploit-of-2026"},{"credibility":2,"name":"Yahoo Finance / DL News: Truebit hit by $26m exploit","type":"news_article","url":"https://finance.yahoo.com/news/truebit-hit-26m-exploit-attackers-170618082.html"},{"credibility":2,"name":"Crypto Briefing: Truebit hacker launders $26 million in ETH via Tornado Cash","type":"news_article","url":"https://cryptobriefing.com/truebit-hacker-launders-eth-via-tornado-cash/"},{"credibility":2,"name":"Blockchain.news Flash: Truebitprotocol Exploiter Moves 8.5K ETH Into Tornado Cash","type":"on_chain","url":"https://blockchain.news/flashnews/truebitprotocol-exploiter-moves-8-5k-eth-26-5m-into-tornado-cash"},{"credibility":2,"name":"FinanceFeeds: Overflow Error Blamed for Massive $26M Truebit Smart Contract Exploit","type":"news_article","url":"https://financefeeds.com/overflow-error-blamed-for-massive-26m-truebit-smart-contract-exploit/"},{"credibility":2,"name":"CCN: Biggest DeFi Hacks and Exploits of 2026","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-exploits-causes-crypto-stolen-2026/"},{"credibility":2,"name":"KuCoin News: Truebit Protocol Hacked for $26.44M Due to Integer Overflow Vulnerability","type":"news_article","url":"https://www.kucoin.com/news/flash/truebit-protocol-hacked-for-26-44m-due-to-integer-overflow-vulnerability"},{"credibility":2,"name":"Phemex News: Truebit Faces $26M Exploit Amid DeFi Protocol Vulnerabilities","type":"news_article","url":"https://phemex.com/news/article/truebit-suffers-26m-exploit-as-hackers-target-older-defi-protocols-52499"},{"credibility":2,"name":"Truebit.io — official site","type":"official","url":"https://truebit.io/"},{"credibility":2,"name":"Crypto.news: Truebit exploit erases 99% of token value after 26 million dollar Ether theft","type":"news_article","url":"https://crypto.news/truebit-exploit-erases-99-of-token-value-after-26-million-dollar-ether-theft/"}],"summary":"On January 8, 2026, the Truebit Protocol smart contract on Ethereum was exploited via an integer overflow vulnerability in a legacy, unaudited Purchase contract (deployed circa 2021, compiled with Solidity v0.5.3), allowing an attacker to mint TRU tokens at near-zero cost and drain 8,535 ETH (approximately $26.2–26.6 million) from the bonding-curve reserve. The stolen funds were fully laundered through Tornado Cash by January 11, 2026, and no meaningful recovery has been reported. The incident caused TRU token to collapse approximately 99.9% within 24 hours, and the same primary attacker address was linked by PeckShield to a prior Sparkle Protocol exploit approximately 12 days earlier.","timeline":[{"date":"2021-01-01","event":"Truebit Protocol Purchase contract (0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2) deployed on Ethereum, compiled with Solidity v0.5.3. Source code not verified on Etherscan. No third-party audit on record.","source":"Rekt News: Truebit — Rekt","source_url":"https://rekt.news/truebit-rekt"},{"date":"2025-12-06","event":"Primary attacker wallet (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) funded via the Across Protocol cross-chain bridge, approximately 33 days before the exploit.","source":"Rekt News: Truebit — Rekt","source_url":"https://rekt.news/truebit-rekt"},{"date":"2025-12-27","event":"Alleged same primary attacker exploits Sparkle Protocol using a similar integer-overflow minting technique, draining approximately 5 ETH. PeckShield links the Sparkle attacker address to the subsequent Truebit exploit.","source":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","source_url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"},{"date":"2026-01-08","event":"Primary exploit executed on Ethereum. Attacker mints billions of TRU tokens via integer overflow in getPurchasePrice(), burns them at the 12.5% buyback rate, and repeats across five iterations in a single atomic transaction. 8,535 ETH (~$26.2–26.6M) drained from the Purchase contract.","source":"Rekt News: Truebit — Rekt","source_url":"https://rekt.news/truebit-rekt"},{"date":"2026-01-08","event":"Secondary opportunistic attacker (0xc0454E545a7A715c6D3627f77bEd376a05182FBc) exploits the same vulnerability, draining an additional approximately $250,000–$253,000 in ETH.","source":"Rekt News: Truebit — Rekt","source_url":"https://rekt.news/truebit-rekt"},{"date":"2026-01-08","event":"TRU token collapses approximately 99.9% within hours of the exploit, from approximately $0.1659 to near zero. CoinGecko flags the project with an exploit warning.","source":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","source_url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"},{"date":"2026-01-08","event":"Truebit team issues brief public statement approximately two hours after exploit detection, acknowledging 'a security incident involving one or more malicious actors,' advising against interacting with the affected contract, and stating law enforcement contact.","source":"Rekt News: Truebit — Rekt","source_url":"https://rekt.news/truebit-rekt"},{"date":"2026-01-09","event":"Blockchain security firms CertiK and PeckShield publish on-chain analysis confirming the exploit details and linking the attacker to the prior Sparkle Protocol incident.","source":"CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether","source_url":"https://www.coindesk.com/markets/2026/01/09/truebit-token-tru-crashes-99-9-after-usd26-6m-exploit-drains-8-535-eth"},{"date":"2026-01-10","event":"Lookonchain and Blockchain.news report that the stolen 8,535 ETH has been moved through multiple laundering wallets and deposited into Tornado Cash privacy mixer.","source":"Blockchain.news Flash: Truebitprotocol Exploiter Moves 8.5K ETH Into Tornado Cash","source_url":"https://blockchain.news/flashnews/truebitprotocol-exploiter-moves-8-5k-eth-26-5m-into-tornado-cash"},{"date":"2026-01-11","event":"Crypto Briefing and MEXC News report that all 8,535 ETH has been fully laundered through Tornado Cash. Recovery prospects considered extremely low.","source":"Crypto Briefing: Truebit hacker launders $26 million in ETH via Tornado Cash","source_url":"https://cryptobriefing.com/truebit-hacker-launders-eth-via-tornado-cash/"}]},"v":1}