The token TRU from Truebit literally evaporated within a few hours. On Thursday, the price plummeted by nearly 99.9% after an attacker exploited a flaw in an old smart contract to drain around 8,535 ether, equivalent to nearly $26.6 million at market prices. A near-total collapse, brutal, and indicative of the ongoing risks associated with legacy contracts.
An Ancient 5-Year-Old Flaw, Still Active
Truebit, an Ethereum protocol specializing in decentralized verification and computation, has confirmed awareness of a security incident involving one or more malicious actors. The issue does not stem from the most recent code but from a smart contract deployed approximately five years ago.
According to several on-chain analysts, this contract contained faulty mint logic. For certain abnormally large transactions, the price calculation function could return… zero. As a result, the attacker could purchase massive quantities of TRU without paying anything, then immediately resell them to the protocol via the bonding curve to extract ETH.
A Methodical Draining Mechanism
The attack did not happen in one fell swoop. It relied on a series of buy-sell loops, exploiting temporary reserve pool imbalances as ETH was drained. With each iteration, the contract recalculated prices based on skewed bases, allowing the extraction to continue until almost all available funds were drained.
The wallet used even paid a slight ‘builder bribe’ to prioritize its transactions, speeding up the attack and reducing the chances of external intervention.
As the reserve emptied, the token’s liquidity vanished. The market quickly understood what was happening. Holders tried to exit urgently, precipitating the price collapse.
A Near-Total Crash of the TRU Token
The impact on the market was immediate. TRU plummeted to lose 99.9% of its value. In reality, the token became practically illiquid, with a price close to zero. For investors, this represents almost complete value destruction, with no realistic chance of short-term recovery.
Truebit has disclosed the address of the affected contract and urged the public not to interact with it anymore. The protocol states that it is in contact with law enforcement, without specifying if the contracts involved have been paused or if a partial recovery of funds is feasible.
The Harsh Reminder of Risks Associated with Legacy Contracts
This incident highlights a recurring structural issue in DeFi: old contracts, sometimes forgotten, remain exploitable as long as they hold funds or are linked to active reserves. Updating the main code is not always sufficient. Attack surfaces persist, sometimes for years, until an actor rediscovers them.
For the ecosystem, the message is clear. Occasional audits and partial migrations do not protect against historical flaws. And for Truebit, beyond the financial loss, it is now the protocol’s credibility itself that is seriously compromised.
