A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January had likely practiced the technique on smaller targets first, according to blockchain analytics firm Chainalysis.
A Contract Left Exposed For Years Why Closed Code Creates Open RiskVerified contracts get reviewed. Bug bounty hunters read them. Independent researchers flag problems before attackers do. Unverified contracts get none of that scrutiny, and many bug bounty programs specifically exclude them from coverage — meaning vulnerabilities can sit untouched for years while millions of dollars flow through the affected code.
Once decompiled, the code can be fed into AI systems capable of spotting reentrancy flaws, arithmetic errors, and access-control weaknesses at a scale no human reviewer could match.
The $36.7 million figure is a fraction of total DeFi losses during the same period — Chainalysis puts the broader six-month theft total above $1 billion. But the firm argues the unverified contract problem could grow as automated analysis tools become cheaper and easier to use, allowing attackers to scan large numbers of dormant contracts and rank them by exploitability.
The Vulnerabilities Varied, But The Pattern Did NotAcross the four incidents, the specific bugs differed. Reports indicate weaknesses ranged from integer overflow and access-control failures to input-validation errors and identity verification flaws.
What they shared was the same protection gap: no public source code, no external review, and no real-time monitoring in place to catch abnormal activity before the funds were gone.
Chainalysis is recommending that protocols treat source-code verification as a baseline requirement for any contract holding user assets.
The firm also says audits and bug bounty coverage should extend to implementation contracts sitting behind proxy structures — components that often go unreviewed even when the front-facing contract is verified.
Featured image from CybersecAsia, chart from TradingView
