Incident Summary

On 8 January 2026, the Truebit protocol was exploited due to an integer overflow bug.
An attacker was able to mint TRU tokens for zero ETH, then immediately sell those tokens for ETH  all within the same transaction.

  • Total loss: ~$26.6M
  • ETH stolen by first attacker: 8,535 ETH
  • A second attacker later exploited the same issue and extracted an additional ~224k USD.

What Happened (High-Level)

  1. The protocol had a function that calculates how much ETH is required to mint TRU tokens.
  2. Due to an overflow in the price calculation, this function sometimes returned 0 ETH.
  3. Attackers used this to mint massive amounts of TRU for free.
  4. They immediately sold those tokens back to the protocol for ETH.
  5. This process was repeated multiple times in a single transaction.

Attackers & Contracts

Exploiter 1
  • Wallet: 0x6C8EC8f14bE7C01672d31CFa5f2CEfeAB2562b50
  • Attack Contract: 0x1De399967B206e446B4E9AeEb3Cb0A0991bF11b8
Exploiter 2
  • Wallet: 0xc0454E545a7A715c6D3627f77bEd376a05182FBc
  • Truebit Contract 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2

Step-by-Step Attack Flow

Transaction Timestamp: Jan 08, 2026–16:02:35 UTC

  1. The attacker called: getPurchasePrice(amount) with a very large amount.
  1. Due to an overflow bug, the function returned: price = 0 wei
  2. The attacker then called: buyTRU() and minted ~240 million TRU tokens for 0 ETH.
  3. Immediately after, the attacker called: sellTRU() and swapped the free TRU tokens for ETH.
  4. This mint-and-sell cycle was repeated multiple times.

Final result:
The attacker drained 8,535.36 ETH from the protocol.

Root Cause

The function getPurchasePrice() relies on an internal pricing calculation (function 0x1446()).Because of unsafe arithmetic, the calculation overflowed, causing the final price to become zero.

Why the Overflow Happened (Simplified)

  • The price formula multiplies:
  • token amount
  • total token supply
  • ETH reserve
  • These numbers are extremely large
  • Intermediate values exceeded the maximum size of a uint256
  • Solidity wrapped the value instead of reverting
  • The final division returned a very small number
  • That number was rounded down to zero

Result

The protocol thought minting TRU was free.

Example From the Exploit

  • total_supply ≈ 1.6e26
  • amount ≈ 2.4e26
  • _reserve ≈ 8.5e21

Two intermediate values (v9 and v12) were valid individually, but:

v9 + v12 > 2^256

This caused an overflow, producing a much smaller number after wrapping.

When divided later:

final_price ≈ 0.000257 ETH → rounded down to 0

Fund Movement

Exploiter 1 Funds

The stolen ETH was split into two wallets:

  • 0xD12f6E0fa7FBF4e3A1c7996E3F0Dd26AB9031a60
    4,267.09 ETH (~$13.2M)
  • 0x273589ca3713e7becf42069f9fb3f0c164ce850a
    4,001.00 ETH (~$12.4M)
Exploiter 2 Activity
  • Sent 71.03 ETH (~$220K) to Tornado Cash, indicating an attempt to launder funds.
Key Takeaways
  • Unchecked arithmetic is dangerous, even in pricing logic.
  • Large-number calculations must use overflow-safe math.
  • Financial functions should:
  • Use checked math
  • Include upper bounds on inputs
  • Be stress-tested with extreme values
  • One overflow bug can drain tens of millions of dollars in seconds.

LEAVE A REPLY

Please enter your comment!
Please enter your name here