The Truebit TRU token lost nearly all of its value following a security breach that drained approximately 8,535 ether from the protocol's reserves. The attacker exploited a vulnerability in a legacy smart contract, allowing them to acquire tokens for free and sell them back to the system to extract over 26 million dollars.

The Truebit protocol, which focuses on Ethereum verification and computation, suffered a catastrophic collapse on Thursday when its native TRU token plummeted nearly 100 percent. Onchain data indicates that a malicious actor successfully drained roughly 8,535 ether from the project's reserves, a haul valued at approximately 26.6 million dollars. Truebit leadership confirmed they are investigating the incident and have engaged with law enforcement to address the breach.

Blockchain researchers identified the source of the failure as an older smart contract that had been deployed five years ago. This legacy code contained a specific flaw in its minting function that incorrectly calculated purchase prices for massive token orders. Under certain conditions involving unusually large buys, the contract returned a price of zero, effectively allowing the attacker to generate tokens without providing any collateral in return.

The attacker capitalized on this pricing error by executing a series of rapid buy and sell loops. By acquiring TRU at no cost and immediately selling it back into the protocol's bonding curve reserve, the exploiter was able to systematically pull ether out of the pool. To ensure these transactions were processed quickly and without interference, the attacker reportedly paid builder bribes to prioritize their activity on the blockchain.

This exploit triggered a total liquidity crisis for the TRU token, which saw its market price drop by as much as 99.9 percent as holders attempted to flee the crashing asset. The event highlights a recurring danger in the decentralized finance space where forgotten or outdated contracts remain active. Even when a project moves on to newer iterations, these legacy deployments can still serve as a backdoor for attackers if they remain connected to valuable reserves.

As of now, the Truebit team has warned the public to stop interacting with the compromised contract address while they work on a solution. The project has not yet released a formal post-mortem or confirmed if they have the technical ability to pause the specific contracts involved in the drain. This incident serves as a stark reminder of the persistent risks associated with smart contract logic and the long-term maintenance required for decentralized infrastructure.

Source: Truebit Token Crashes After Hacker Drains 26 Million In Ether