Hackers exploit five-year-old vulnerability Truebit suffers a loss of $26 million

Ethereum verification protocol Truebit was hacked this week, resulting in losses of up to $26 million in assets. This incident once again exposes the increasingly serious security vulnerabilities in the DeFi space and highlights the latest hunting pattern among hackers—targeting forgotten old contracts. Following the news, the native token TRU plummeted, dropping rapidly from $0.16 to $0.01, a decline of over 93%, hitting a historic low.

Contracts Deployed Five Years Ago Become Hacking Channels

According to on-chain analysis platform Lookonchain, the stolen assets amount to as many as 8,535 ETH. Independent researcher Weilin Li conducted an in-depth analysis and found that the hackers’ attack targeted a smart contract deployed by Truebit five years ago, which had a serious flaw in the pricing mechanism of its “mint” function. This long-forgotten vulnerability opened the door for hackers—they were able to mint TRU tokens in bulk at a cost far below market price and then sell them off for arbitrage.

Truebit’s official statement was posted on social platform X: “We have discovered a security incident involving malicious actors, and we are working closely with law enforcement to take all possible measures.” Although the official did not disclose specific details of the theft, market reactions and on-chain data suggest that the scale of the loss is quite astonishing.

Hacker Teams Collaborate, Experts Profit Millions

Weilin Li further revealed the profit distribution among the hacker team: the attack was carried out by two hackers, with the main hacker earning approximately $26 million, and another participant earning about $250,000. This organized, division-of-labor attack pattern reflects that the hacker circle has formed a relatively mature “industry chain.”

“Unearthing Old Vulnerabilities” Becomes a New Trend Among Hackers, DeFi Projects Targeted

Even more alarming, Weilin Li specifically warned of a new hacker trend—“archaeological” vulnerability hunting. Hackers are specifically seeking out old contracts that, although forgotten by the market, still hold high permissions for attack. This strategy often allows them to evade project defenses. In November last year, DeFi protocol Balancer was hacked due to a smart contract vulnerability, losing over $120 million. Moving into 2026, several well-known projects such as Bunni, Nemo Protocol, Hyperdrive, and Yearn Finance have also reported contract attacks, forming a wave of concentrated security crises.

This series of events serves as a warning to the entire industry: maintenance and permission management of old contracts are becoming a fatal weakness in the DeFi ecosystem.