Four DeFi exploits tied to unverified smart contracts caused $36.7 million in losses between December 2025 and May 2026, Chainalysis said in a June 10, 2026 report. The firm linked the attacks to an AI-assisted security gap in closed-source contract analysis.

The findings sharpen a long-running concern in DeFi security: obscurity is no longer a credible defensive layer. As attackers use automated tools to inspect bytecode faster and at scale, unverified contracts are becoming a higher-risk category for protocols, custodians and institutional counterparties.

AI Toolchains Accelerate Vulnerability Discovery

Chainalysis identified four incidents behind the $36.7 million total. The largest was Truebit, which lost $26.2 million after attackers abused an integer overflow in an unverified implementation contract deployed in 2021, making the Truebit exploit the dominant loss event in the sample.

The remaining incidents involved Trusted Volumes, Aperture Finance and Ekubo. Trusted Volumes lost $5.9 million, Aperture Finance lost $3.2 million and Ekubo lost $1.4 million, with Chainalysis noting that each exploited contract lacked publicly verified source code on the relevant block explorer at the time of breach.

The report pointed to attacker tooling as a decisive factor. Modern decompilers such as Dedaub, Heimdall and Panoramix can reconstruct readable Solidity-like code from bytecode, and that output can then be fed into large language models to identify reentrancy, access-control and arithmetic weaknesses.

That workflow gives adversaries a speed advantage. Chainalysis said automation allows attackers to triage thousands of unverified contracts quickly, creating a structural visibility gap between attackers and defenders when protocols leave production code unverifiable.

Verification Becomes Baseline Security Hygiene

Chainalysis warned that the industry’s reliance on obscurity has eroded. “Source code verification on block explorers should be treated as a minimum security requirement for any contract that holds or manages user funds,” the report said, stressing the need to verify implementation contracts, not only proxy shells.

The firm urged protocols to treat source-code verification as baseline hygiene and to extend bug bounty coverage to every deployed contract. It also recommended real-time on-chain monitoring for abnormal transaction patterns and suspicious function calls, along with security reviews that validate actual production deployments.

The trend raises the risk premium around closed-source integrations. Without verified code, white-hat researchers, auditors and external reviewers are less likely to detect critical vulnerabilities before attackers exploit them, widening the pre-exploit detection gap.

As AI lowers the cost and time required to find exploitable weaknesses, liquidity providers and institutional integrators are likely to demand stronger transparency, broader bounty coverage and more robust monitoring before allocating capital, making on-chain code visibility a core counterparty-risk factor.

Protocols that fail to adapt may face elevated operational and liquidity risk. In a market where exploit discovery is becoming faster and more automated, verified source code is shifting from best practice to minimum infrastructure standard.