Truebit Loses $26 Million in ETH as Exploit Erases TRU Token Value

Truebit Protocol suffered a catastrophic failure on January 8, 2026, after attackers exploited a long-forgotten smart contract to drain more than $26 million worth of ETH, triggering the near-total collapse of its native TRU token. The incident wiped out liquidity, erased market confidence, and positioned Truebit among the first major DeFi casualties of the year.

The attack centered on an outdated “Purchase” contract deployed roughly five years ago and never fully decommissioned. According to on-chain investigators, the contract contained a pricing flaw that returned zero-cost values for large token mint requests. This allowed attackers to mint unlimited amounts of TRU at no cost and immediately sell the tokens back into the protocol’s bonding curve, extracting ETH through repeated arbitrage loops.

Blockchain analytics firm Lookonchain reported that 8,535 ETH were siphoned from the contract in a series of rapid transactions. The funds were later consolidated into a single wallet before roughly half were routed through Tornado Cash, significantly reducing the chances of recovery. Cyvers and independent researchers also flagged the activity early, noting abnormal mint-and-dump patterns inconsistent with organic market behavior.

One transaction openly labeled its function call as “Attack,” leaving little ambiguity about the exploit’s intent. Security researcher Weilin Li later confirmed that the vulnerable contract had remained active despite being considered legacy infrastructure, underscoring a recurring problem across DeFi protocols that evolve faster than their technical debt is addressed.

Market reaction was immediate and brutal. TRU, which had been trading near $0.16, collapsed by more than 99.9 percent within hours, effectively trading at fractions of a cent. Liquidity pools vanished across decentralized exchanges, while centralized platforms such as KuCoin and MEXC reflected the collapse in real time. By the end of the day, TRU’s market capitalization had become functionally unmeasurable.

Truebit acknowledged the breach in a public statement, confirming that malicious activity was limited to a single contract and urging users to halt all interactions with the protocol. The team stated it had paused affected components and contacted law enforcement, but provided few technical details and offered no immediate recovery roadmap. The lack of transparency has drawn criticism from market observers who argue that clear communication is critical during protocol failures.

The exploit arrives after a relatively calm 2025 for decentralized finance, making its impact more pronounced. Combined with the recent $3.9 million Flow token duplication incident, the Truebit collapse highlights a persistent structural risk within the sector: legacy smart contracts that remain exploitable long after their relevance has faded.

As DeFi protocols mature and attract greater institutional interest, the Truebit incident reinforces an uncomfortable reality. Innovation alone is not enough. Without continuous audits, contract upgrades, and aggressive deprecation of outdated code, even established protocols remain vulnerable to exploits that can erase years of value in a matter of minutes.