中文版
About Advertisement
中文版
Login
predict.info — Premium Domain For Sale Domain only: USD 200,000. Prediction platform technology priced separately. predict.info
Inquire
Attackers Stole $36.7M From Unverified DeFi Contracts in 6 Months - Blockchain.News

Attackers Stole $36.7M From Unverified DeFi Contracts in 6 Months

Peter Zhang Jun 10, 2026 00:43

AI-driven exploits target unverified smart contracts, costing DeFi protocols $36.7M in six months, per Chainalysis report.

Attackers Stole $36.7M From Unverified DeFi Contracts in 6 Months

Unverified smart contracts are emerging as a favored target for attackers, with $36.7 million stolen across four specific exploits in the past six months, according to a June 9 report from Chainalysis. These incidents highlight how protocols with closed-source code are becoming increasingly vulnerable, especially as attackers leverage AI tools to streamline exploit discovery.

The affected protocols include Truebit, Trusted Volumes, Aperture Finance, and Ekubo, all of which deployed contracts on Ethereum without verifying their source code on public block explorers like Etherscan. The largest single exploit occurred on January 8, 2026, when Truebit lost $26.2 million due to an integer overflow vulnerability in its bonding curve mechanism. In total, Chainalysis identified $36.7 million lost across these unverified contracts from December 2025 to June 2026.

How AI is Changing the Game

Attackers are increasingly using AI-driven tools to decompile Ethereum Virtual Machine (EVM) bytecode and identify vulnerabilities at scale. Decompilation tools like Dedaub and Heimdall, when combined with large language models (LLMs), allow attackers to analyze bytecode for flaws such as reentrancy bugs, access control issues, and arithmetic errors. This reduces the time and skill required to find exploitable weaknesses, enabling systematic, pipeline-driven scanning of unverified contracts.

While closed-source contracts might seem less accessible to attackers, they also forfeit the informal security benefits of community scrutiny, competitive audits, and bug bounty programs. Chainalysis noted that unverified contracts often fall outside the scope of bug bounty initiatives, leaving them even more exposed.

Case Study: Truebit Exploit

Truebit’s exploit exemplifies the risks of unverified contracts. The protocol’s bonding curve mechanism allowed attackers to mint vast quantities of TRU tokens for near-zero cost by exploiting an unguarded addition operation. The vulnerability persisted because the contract was compiled with an outdated version of Solidity (v0.5.3) that lacked automatic overflow checks.

On-chain analysis suggested the attacker methodically tested contracts for vulnerabilities before escalating to larger exploits. The same wallet had exploited a smaller vulnerability in the Sparkle protocol just 12 days prior. Proceeds from both attacks were laundered through Tornado Cash, highlighting the organized nature of these campaigns.

Broader Context: Crypto Exploits in 2026

The $36.7 million stolen from unverified contracts is part of a broader trend of escalating crypto exploits. In May 2026 alone, CertiK reported $68.3 million in total crypto hack losses, while cumulative losses for 2026 now exceed $1.1 billion. Although unverified contracts represent a smaller share of these totals, they remain disproportionately vulnerable given their lack of transparency and community oversight.

Looking back, Firepan’s 2025 report showed $3.3 billion lost to Web3 exploits, with $905.4 million attributed specifically to smart contract vulnerabilities. The rise of AI tools capable of automating exploit discovery suggests these losses could accelerate as attackers refine their methods.

What Protocols Can Do

Chainalysis recommends several steps to mitigate risks associated with unverified contracts:

  • Verify Source Code: Publishing verified contract code on block explorers like Etherscan should be a standard practice for any contract managing user funds.
  • Expand Bug Bounty Scopes: All contracts, including legacy or auxiliary implementations, should be eligible for bug bounty programs.
  • Implement Real-Time Monitoring: Tools like Chainalysis Hexagate can identify suspicious activity in real time, providing a critical safety net for unverified contracts.

The Bottom Line

With advancements in AI decompilation and vulnerability analysis, unverified smart contracts are becoming increasingly indefensible. For DeFi protocols, transparency is no longer optional — it’s essential for survival. As attackers continue to exploit the gap between closed-source opacity and cutting-edge automation, the pressure to prioritize open, auditable code has never been greater.

Image source: Shutterstock
Bookmark
Flash News
Garrett Jin: ZEC Short Closed for $11.24M Profit

6/10/2026 1:19:00 AM

Bitmine: Adds 100000 ETH After Market Dip

6/10/2026 12:48:00 AM

ETH Whale: Closes Short for $190K Profit

6/10/2026 12:44:00 AM

HYPE: $5.9M Coinbase Withdrawal Tied to Bizyugo

6/10/2026 12:25:00 AM

Bitcoin: Record ETF Outflows Hit $24B Amid Perps Shift

6/10/2026 12:04:00 AM

James Wynn: Partially Liquidated on BTC Short

6/10/2026 12:01:00 AM