First Major Hack of 2026: Truebit Protocol Loses $26.4 Million Due to Smart Contract Vulnerability

This is the first documented major DeFi hack of 2026, highlighting ongoing security risks in the Ethereum ecosystem, even for projects with a long history. According to CertiK data, suspicious transactions were detected yesterday, January 8, and the hacker successfully withdrew funds through an exploit in an old smart contract.

Truebit Protocol is a platform for verifying computations on Ethereum, which uses the TRU token to incentivize network participants. The project has been around since 2020, but the vulnerability was hidden in an outdated contract (address: 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2), which did not undergo proper auditing or updates. As a result of the attack, the price of the TRU token plummeted by nearly 100%, from $0.16 to practically zero ($0.0000000029), wiping out the project's market capitalization and liquidity.

How Exactly Did the Hack Occur?

The exploit was based on an overflow error in the getPurchasePrice() function of the smart contract. This function calculates the price for minting (creating) TRU tokens based on a formula that includes the total token supply, ETH reserve, and the amount the user wants to purchase. Specifically:

• The formula computes variables such as v9 = 200 * total_supply * amount * reserve and v12 = 100 * amount * amount * reserve.
• Then v9 + v12 is added, and the result is divided by another variable (v6).
• The issue arises with large values of the "amount" parameter: the sum v9 + v12 exceeds the maximum value for a 256-bit integer (2^256), leading to overflow. In Solidity (the smart contract language for Ethereum), this wraps the value around to a small number, making the token price practically zero.

The hacker exploited this by inputting a large "amount" value to mint an unlimited number of TRU tokens for minimal cost (almost for free). These tokens were then sold in liquidity pools on Uniswap or similar platforms, exchanging them for ETH from the protocol's reserves. The process was repeated in a loop: minting > selling > ETH drain. The primary hacker (address: 0x6C8EC8f14bE7C01672d31CFa5f2CEfeAB2562b50) extracted the main amount, while a second one took about $250,000.

Interestingly, the hackers conducted small test attacks over several months (from $2,000 to $15,000) before going for the big hit.

The Truebit team confirmed the incident and advised users to avoid interacting with the vulnerable contract. They are cooperating with law enforcement for an investigation, but the chances of recovering the funds are low, as is often the case in DeFi hacks. Analysts from Lookonchain and Cyvers note that this is a typical example of a vulnerability in legacy code: old contracts are often ignored but remain an attractive target for hackers.

Market Implications

This hack became the first serious blow to DeFi in 2026, reminding us of vulnerabilities even in "established" projects. Total losses from hacks in crypto in 2025 exceeded $2 billion, and the trend continues. Investors are advised to check contract audits and avoid lesser-known protocols. Truebit is unlikely to recover, but the event may encourage better security practices in the industry, such as regular audits and migration to new contracts.