2026-01-13 00:21:22

Ladies and gentlemen, DeFi is making headlines again. The Truebit protocol has been hit hard—hackers directly stole 8,535 ETH, worth over 180 million RMB. You might think it was a sophisticated attack method, but actually? Quite the opposite.

The hacker used a ten-year-old, well-known "integer overflow" vulnerability. Truebit's Purchase contract, when calculating prices, lacked any overflow protection for integer addition. This single oversight allowed the hacker to mint astronomical amounts of $TRU tokens at almost zero cost. They cashed out and ran, executing the entire process smoothly, like walking into an open vault.

Ironically, this isn't the first time they've fallen into this trap. Projects like BEC and SMT were directly wrecked years ago due to the same vulnerability, and some projects are still making these basic mistakes. Honestly, this is gambling with users' funds.

SlowMist Security Team has already sounded the alarm: all contracts developed with Solidity versions below 0.8.0 must immediately add SafeMath protections to all arithmetic operations. Otherwise, your project could be the next to be exploited. This is not alarmist talk; it's a real lesson. The security bottom line of the ETH ecosystem requires every developer to take it seriously.

ETH0,97%

TRU2,31%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

9 Likes

Reward
9
4
Repost
Share

Comment

0/400

CompoundPersonality

· 15h ago

Integer overflow can cause issues; how careless can one be? We already flipped out about BEC back then, and now we're repeating the same mistakes. The vulnerabilities from ten years ago haven't been fixed, implying they're gambling with users' hard-earned money. Even SafeMath has to be added; otherwise, who dares to touch these contracts? 180 million just disappeared like that—ridiculous. This is why people say DeFi is still in its wild growth stage; security is truly just a facade.

View OriginalReply0

SchrodingerGas

· 15h ago

Integer overflow, a vulnerability from ten years ago, is still being exploited to target projects. Frankly, it shows that developers don't take security seriously and are just gambling with users' money. This time, the Truebit incident is a game of imbalance—protection costs vs. the probability of being exploited by hackers. As a result, a group of people chose the zero-cost protection route, and now 180 million is gone. Market efficiency, huh? SafeMath is definitely not an optional feature. Projects that didn't implement it before the testnet snapshot have been blacklisted. Anyone willing to gamble on this, I’ll be watching to see who crashes. Reading this news late at night feels a bit upsetting. BEC and Truebit, spanning so many years, still making the same mistakes, shows that ultimately, on-chain security is still a human issue.

View OriginalReply0

SmartMoneyWallet

· 15h ago

180 million is gone just like that. Are we still digging this ten-year-old hole of integer overflow? Developers really don't take security seriously. Honestly, it's just laziness. They don't even bother to use SafeMath. Who's to blame? If this time it ruins retail investors' money, we'll be hearing the old tune of "investment involves risks" again. Contracts below Solidity 0.8.0 are all marked as blacklisted. Those still on the chain are ticking time bombs. On-chain data clearly shows who is playing with fire. The problem is, most people don't even look and just rush in. This incident should prompt more than just Truebit to reflect. The entire ecosystem's distribution of chips needs to be clear. Let's not let such basic mistakes cause a third harvest.

View OriginalReply0

ZeroRushCaptain

· 15h ago

The vulnerabilities from ten years ago are still causing damage today. This is DeFi—reverse indicators one after another. I bet the next project to be exposed is on your current all-in list.

View OriginalReply0