Truebit suffered a major security breach on January 8, 2026 that let attackers mint TRU tokens at near-zero cost and drain roughly 8,535 ETH—about $26.4–$26.6 million—from protocol reserves. The failure point was a legacy minting contract whose pricing arithmetic overflowed, effectively collapsing the ETH required to mint tokens to almost nothing.

The market impact was immediate: TRU’s value fell roughly 99–100% as liquidity was pulled out through the exploit path. Truebit confirmed the incident, warned users to avoid the affected contract, and moved to cooperate with law enforcement. This was not a contained bug—it became a protocol-level capital event with direct liquidity and trust consequences.

Today, we became aware of a security incident involving one or more malicious actors. The affected smart contract is 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2 and we strongly advise the public not to interact with this contract until further notice. We are in contact with law…

— Truebit (@Truebitprotocol) January 8, 2026

Root cause: unsafe arithmetic in an old Purchase contract

The vulnerable component was the Purchase (minting) contract, roughly five years old. An integer overflow in the price calculation allowed intermediate values to wrap when they exceeded the maximum representable value of a uint256, producing an incorrect mint cost near zero. Instead of reverting, the math “rolled over,” and the pricing logic quietly broke.

The contract was compiled with Solidity 0.6.10, which predates built-in overflow checks, and it did not include explicit SafeMath-style protections. That combination left token-economic pricing logic exposed to a known class of arithmetic failure.

Exploit path: mint for near free, then extract ETH from pools

Attackers exploited the arithmetic failure to mint a large amount of TRU for negligible ETH, then swapped the newly minted tokens through liquidity pools to pull out ETH. The extracted amount traced on-chain totals about 8,535 ETH, with two distinct actors associated with captures of roughly $26 million and roughly $250,000. Once the mint price collapsed, liquidity pools became the extraction mechanism.

After draining the reserves, the stolen ETH was routed through a privacy mixer, increasing recovery difficulty and complicating attribution. Mixing doesn’t make theft “disappear,” but it raises the operational burden for tracing and enforcement.

For allocators, custodians, and protocol engineers, the lesson is straightforward: legacy contracts require continuous maintenance, and arithmetic in minting and pricing logic must be treated as critical infrastructure. A single overflow in a token-economic function can cascade into outsized balance-sheet losses and rapid market contagion.

The next phase hinges on remediation and governance execution: isolating or disabling the affected contract, communicating clear user guidance, and presenting a credible recovery or restitution plan where possible. Institutions will calibrate risk frameworks based on how quickly the protocol hardens its surface area and how transparently it documents root cause and corrective actions.