Hackers Steal $36.7M From Unverified Smart Contracts in Six Months: Report

Highlights:

• Hackers stole $36.7 million from DeFi protocols after discovering flaws in hidden smart-contract code.
• Truebit suffered the biggest reported loss, with attackers draining $26.2 million from its protocol.
• Chainalysis warned that AI tools may help hackers find smart contract weaknesses much faster.

Hackers have stolen at least $36.7 million from DeFi protocols by exploiting weaknesses in unverified smart contracts, according to a Tuesday report by Chainalysis. The blockchain analytics firm said these attacks show how hidden or unpublished contract code can create serious security risks for DeFi projects.

Advertisement

Smart contracts are blockchain-based programs that automatically process transactions. Many crypto projects verify their code on block explorers such as Etherscan so developers, auditors, and security researchers can review it. When contracts remain unverified, the source code is not publicly readable, making outside review much harder.

However, Chainalysis said hiding the code does not stop attackers. Skilled hackers can still study the contract’s bytecode, which is the raw code stored on the blockchain. With the help of decompilers and AI tools, they may now find weaknesses faster than before.

Over the past six months, attackers have stolen at least $36.7 million from protocols using unverified smart contracts. By leveraging AI-assisted tools, bad actors are reverse-engineering raw bytecode to find vulnerabilities at unprecedented speeds. Read our latest research to…

— Chainalysis (@chainalysis) June 9, 2026

Truebit Suffers the Largest Reported Loss

The biggest case in Chainalysis’ report was Truebit. On January 8, an attacker stole $26.2 million from the tokenized asset protocol. Chainalysis said the exploited contract had been deployed on Ethereum since 2021, but its implementation was not verified on Etherscan.

The attack involved a weakness in Truebit’s bonding curve system. A bonding curve helps set a token’s price based on supply. In this case, the flaw allowed the attacker to mint a large number of tokens at almost no cost and then burn them for ETH. Chainalysis also listed several other incidents. Trusted Volumes lost $5.9 million on May 7. Aperture Finance lost $3.2 million on January 25, while Ekubo lost $1.4 million on May 5.

AI Tools Add Pressure on DeFi Security

Chainalysis said AI-assisted exploit development could make unverified contracts more dangerous. Attackers can use decompilers to turn bytecode into a more readable format. They can then use large language models to search that code for flaws.

This does not mean AI creates the weakness on its own. Instead, it can speed up the review process for attackers. A task that once required more time and manual effort may now become easier to scale across many contracts.

The report also pointed to a weakness in some bug bounty programs. Some exploited contracts were outside the scope of these programs, even though they controlled user funds. As a result, ethical hackers had less incentive or permission to report problems before attackers abused them.

Chainalysis Calls for Better Code Verification

Chainalysis said crypto teams should verify the source code of any smart contract that handles user funds. Public verification allows more people to inspect the code and may help projects find issues before an exploit happens. The company also urged teams to audit the contracts they actually deploy, expand bug bounty coverage, and monitor blockchain activity in real time. Fast detection is important because many DeFi attacks happen within minutes.

Advertisement