BEARISH 📉 : Chainalysis reports hackers exploit unverified DeFi contracts, steal $37M in six months
Chainalysis links $36.7M in DeFi exploits to unverified contracts. Truebit lost $26M on Ethereum in January.
The firm says the Truebit hacker likely tested the method on smaller targets first. Four incidents over six months hit Truebit, Trusted Volumes, Aperture Finance, and Ekubo, totaling $36.7M in losses, per Chainalysis.
Truebit’s contract sat on Ethereum since 2021. It used Solidity v0.5.3, before automatic overflow checks. An integer overflow in a bonding curve let the attacker mint cheap tokens and swap to ETH, according to Chainalysis.
Unverified code got no public review. Bug bounties often exclude it. Vulnerabilities can sit for years while funds flow, the report notes.
Attackers decompiled bytecode with tools like Dedaub, Heimdall, and Panoramix. They then used AI to flag reentrancy, arithmetic, and access-control bugs at scale, per Chainalysis.
$36.7M is a small share of the period’s >$1B DeFi theft total. But Chainalysis warns automated scanning could widen the risk as tools get cheaper, citing its six-month view here.
Bugs varied across cases. Integer overflow, access-control failures, input-validation errors, and identity verification flaws all appeared, per Chainalysis.
The pattern stayed the same. No public source code. No external review. No real-time monitoring to catch anomalies, the firm says.
Chainalysis recommends baseline source-code verification for any asset-holding contract. Audits and bug bounties should also cover implementation contracts behind proxies, not just the front-facing logic, per its report.