Crypto hackers drained roughly $36.7 million from four DeFi protocols over the past six months — and every single one of the exploited contracts had source code that was never publicly verified on blockchain explorers. The largest incident, a $26 million hit on Ethereum-based Truebit in January, exploited an integer overflow in code written in a Solidity version from 2018. Now Chainalysis is warning that the attack vector is growing more dangerous as cheap AI tools make it easier for thieves to tear through unverified bytecode.
The $26M Truebit Exploit
Truebit's contract had been sitting on Ethereum since 2021 — unverified and unreviewed. Attackers cracked it by finding an integer overflow flaw in the bonding curve. The code was written in Solidity v0.5.3, which lacks automatic overflow protections. That version is years old, but the contract was never updated or audited. Bug bounty programs often exclude unverified contracts, so that vulnerability sat untouched for years.
Old Solidity Code Left Unchecked
All four compromised contracts — Truebit, Trusted Volumes, Aperture Finance, and Ekubo — shared one thing: no one had ever verified their source code on Etherscan or similar tools. Without verification, the actual logic running on-chain is opaque. Attackers don't need the source; they can grab the deployed bytecode and decompile it using tools like Dedaub, Heimdall, or Panoramix. Then they apply AI systems to hunt for reentrancy, arithmetic errors, and access-control flaws. That's exactly what happened across all four incidents, which also involved input-validation errors and identity verification failures.
Attackers Turn to AI and Bytecode Analysis
The $36.7 million figure is small relative to the broader DeFi theft landscape — Chainalysis puts total losses above $1 billion over the same period. But the method is what worries the firm. Automated analysis tools are getting cheaper and more accessible for attackers. Chainalysis warns that the unverified-contract risk could accelerate as more hackers learn to pivot from source-code audits to bytecode scanning aided by AI.
Chainalysis: Verification Must Be Baseline
The firm recommends that source-code verification become a baseline requirement for any contract that holds user assets. Audits and bug bounties should also cover implementation contracts behind proxy structures, not just the proxy itself. Without that, contracts like Truebit's can sit exposed for years. The question hanging over the industry now: how many more unverified contracts are out there, holding user money, waiting to be decompiled?
