Quick Breakdown
- Attackers exploited a smart contract flaw in Truebit’s “Purchase” function at 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2, minting TRU tokens for free and selling them to drain ETH reserves.
- On-chain sleuths like Lookonchain flagged 8,535 ETH ($26.4M) stolen; half the funds routed through Tornado Cash shortly after.
- TRU price collapsed from $0.16 to near zero ($0.0000000007), wiping out market cap amid panic selling and vanished liquidity pools.
Truebit Protocol suffered a $26.4 million exploit on January 8, 2026, when attackers drained 8,535 ETH from a vulnerable smart contract, causing the native TRU token to plummet nearly 100% and erasing nearly all liquidity. The breach targeted a legacy “Purchase” contract deployed years ago, exploiting a pricing flaw that allowed massive token mints at zero cost. Truebit confirmed the incident, paused interactions, and contacted law enforcement as investigations continue.
Today, we became aware of a security incident involving one or more malicious actors. The affected smart contract is 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2 and we strongly advise the public not to interact with this contract until further notice. We are in contact with law…
— Truebit (@Truebitprotocol) January 8, 2026
Exploit mechanics exposed
The vulnerability stemmed from an outdated smart contract, roughly five years old, where a mispriced minting function returned zero values for large requests. Attackers repeatedly minted TRU tokens at no cost, then dumped them into the protocol’s bonding curve, rapidly extracting ETH through arbitrage loops. One transaction even used a function labelled “Attack,” highlighting the deliberate nature of the breach. Blockchain analysts like Lookonchain and Cyvers detected abnormal transfers early, with the attacker consolidating funds into wallet 0x6C8EC8f1 before mixing via Tornado Cash. Independent researcher Weilin Li pinpointed the legacy contract as the entry point, underscoring risks from unupgraded code in DeFi protocols.
Market fallout, response underway.
Truebit’s TRU token saw a 99.9% drop across exchanges like KuCoin and MEXC, with CoinGecko data showing market cap becoming unquantifiable overnight. The protocol issued a statement on X, confirming malicious activity limited to one contract and urging users to avoid interactions until resolved. Developers are coordinating with authorities, but no recovery plan or cause details have emerged yet, fueling concerns over transparency. This marks one of the first major DeFi exploits of 2026, following a relatively quiet 2025, and renews calls for rigorous audits on legacy systems amid rising institutional adoption. The Truebit exploit, soon after the $3.9M Flow token duplication breach, underscores the persistent threat from outdated or flawed smart contracts in DeFi. These early 2026 incidents renew urgent calls for rigorous protocol audits and enhanced security across the ecosystem.
If you would like to read more articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
