Truebit Protocol Exploit Drains $26M as TRU Token Collapses to Zero

Highlights:

• Truebit Protocol lost $26.6M after attackers exploited an outdated smart contract flaw.
• The TRU token collapsed from $0.16 to near zero within hours.
• Legacy DeFi contracts continue attracting attackers seeking mispriced minting functions.

Truebit Protocol suffered a major security breach on Thursday that triggered one of 2026’s sharpest token collapses. On-chain data showed attackers drained about 8,535 ether, valued at $26.6 million. As a result, the TRU token plunged from $0.16 to near zero within hours, sparking widespread panic selling across the market.

The exploit targeted an outdated smart contract still connected to active liquidity pools. According to researchers, a pricing error let attackers mint TRU at zero cost. They repeatedly bought and sold tokens to extract ether directly from the protocol’s reserves. As a result, the rapid transactions bypassed early safeguards on the Ethereum network.

Truebit Protocol’s Exploit Mechanics and On-Chain Trail

The activity was flagged by blockchain experts when a single wallet received most of the funds. Cyvers reported the unusual behavior of transactions not corresponding to normal Truebit operations. In addition, its systems identified high-risk indicators with the attacker employing small builder bribes to gain block priority. The attacker thus made trades quickly across various blocks to achieve maximum extraction speed.

Additional investigation revealed that the attacker used a flawed minting function. Independent researcher Weilin Li traced the bug to a mispriced contract implemented five years prior. Since the code was still available, the attackers took advantage of old permissions that developers never retired during the previous network phases that are still connected to liquidity contracts today.

Li also suggested that there were two attackers involved in the exploit window. A single address captured approximately $26 million in Ether profits. The other address gained about $250,000 upon identifying the weakness. The activity further suggests opportunistic follow-on trading by observers of mempool data and interactions of contracts on the network-wide volatility that morning.

Protocol Response and Market Fallout

Truebit protocol acknowledged that it was aware of the security incident via a public statement. The team cautioned against interacting with the affected contract address. Meanwhile, the developers notified law enforcement and initiated internal investigations. However, they did not confirm any immediate contract pauses as investigations expanded in multiple jurisdictions with blockchain analytics partners.

Response in the market became rapid, with liquidity evaporating in the trading venues. TRU token dropped to almost zero value within hours as the selling pressure intensified. Moreover, the collapse erased years of market capitalization and left behind holders unable to exit positions amid thin order books and halted arbitrage flows in the face of extreme volatility conditions globally.

Increasing DeFi Exploits and Legacy Contract Risks

This incident contributes to the expanding list of decentralized finance hacks. Security firms noted that attackers are targeting more forgotten permissions on older contracts. With protocols evolving, legacy code has been a frequent vulnerability. Audits often trail behind older deployments, allowing mispriced logic embedded years ago to go unnoticed.

Similar exploits have been observed in major protocols recently. Balancer suffered a loss of more than $120 million due to a rounding error. Bunni and Nemo also reported contract drains, adding momentum to increasing security pressures throughout the sector.

Meanwhile, stablecoin neobank Kontigo recently experienced a wallet breach, draining more than 340,000 USDC from affected users. Kontigo, however, responded promptly by issuing full reimbursements. Moreover, Trust Wallet suffered a separate breach linked to its Chrome extension, whereby hackers drained about $7 million from unsuspecting users.