TrueBit Oracle Exploit (January 2026)
Summary
On January 8, 2026, the Truebit Protocol smart contract on Ethereum was exploited via an integer overflow vulnerability in a legacy, unaudited Purchase contract (deployed circa 2021, compiled with Solidity v0.5.3), allowing an attacker to mint TRU tokens at near-zero cost and drain 8,535 ETH (approximately $26.2–26.6 million) from the bonding-curve reserve. The stolen funds were fully laundered through Tornado Cash by January 11, 2026, and no meaningful recovery has been reported. The incident caused TRU token to collapse approximately 99.9% within 24 hours, and the same primary attacker address was linked by PeckShield to a prior Sparkle Protocol exploit approximately 12 days earlier.
Connected Entities
1 entities · 10 linked investigationsTimeline(10 events)
2021-01-01
Truebit Protocol Purchase contract (0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2) deployed on Ethereum, compiled with Solidity v0.5.3. Source code not verified on Etherscan. No third-party audit on record.
Rekt News: Truebit — Rekt2025-12-06
Primary attacker wallet (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) funded via the Across Protocol cross-chain bridge, approximately 33 days before the exploit.
Rekt News: Truebit — Rekt2025-12-27
Alleged same primary attacker exploits Sparkle Protocol using a similar integer-overflow minting technique, draining approximately 5 ETH. PeckShield links the Sparkle attacker address to the subsequent Truebit exploit.
CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether2026-01-08
Primary exploit executed on Ethereum. Attacker mints billions of TRU tokens via integer overflow in getPurchasePrice(), burns them at the 12.5% buyback rate, and repeats across five iterations in a single atomic transaction. 8,535 ETH (~$26.2–26.6M) drained from the Purchase contract.
Rekt News: Truebit — Rekt2026-01-08
Secondary opportunistic attacker (0xc0454E545a7A715c6D3627f77bEd376a05182FBc) exploits the same vulnerability, draining an additional approximately $250,000–$253,000 in ETH.
Rekt News: Truebit — Rekt2026-01-08
TRU token collapses approximately 99.9% within hours of the exploit, from approximately $0.1659 to near zero. CoinGecko flags the project with an exploit warning.
CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether2026-01-08
Truebit team issues brief public statement approximately two hours after exploit detection, acknowledging 'a security incident involving one or more malicious actors,' advising against interacting with the affected contract, and stating law enforcement contact.
Rekt News: Truebit — Rekt2026-01-09
Blockchain security firms CertiK and PeckShield publish on-chain analysis confirming the exploit details and linking the attacker to the prior Sparkle Protocol incident.
CoinDesk: Truebit token (TRU) crashes 99.9% after hacker drains $26.6 million in ether2026-01-10
Lookonchain and Blockchain.news report that the stolen 8,535 ETH has been moved through multiple laundering wallets and deposited into Tornado Cash privacy mixer.
Blockchain.news Flash: Truebitprotocol Exploiter Moves 8.5K ETH Into Tornado Cash2026-01-11
Crypto Briefing and MEXC News report that all 8,535 ETH has been fully laundered through Tornado Cash. Recovery prospects considered extremely low.
Crypto Briefing: Truebit hacker launders $26 million in ETH via Tornado CashDecision Log
- hash: 37a8snmu1F88R3xWfYbADyhcXRq7YMME5zScdUgmQiVU
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 6/8/2026, 1:22:10 AM
last updated: 6/8/2026, 1:22:14 AM
avoid.net — verified advice for a post-truth world