Truebit’s TRU token lost nearly all of its value after a $26.4 million smart contract exploit triggered a full liquidity drain.
Ethereum-based infrastructure project Truebit’s native token TRU collapsed nearly 100% after a smart contract exploit drained over $26.4 million from the protocol. The attack started with a suspicious on-chain transaction and quickly resulted in a full liquidity drain.
Notably, the attacker exploited a math error in Truebit’s minting contract, which incorrectly priced TRU close to zero. The bug allowed the attacker to mint massive amounts of TRU tokens at almost zero cost.
The attacker then sold them back into the pool. Each cycle pulled more ETH ETH $2 051 24h volatility: 1.2% Market cap: $247.48 B Vol. 24h: $22.29 B out of the protocol. On-chain data shows the attacker also paid a small builder bribe to ensure a fast transaction and prevent intervention.
Security researcher Weilin Li independently confirmed that the exploit was based on a five-year-old smart contract flaw. No private keys were compromised and the system failed purely due to faulty math.
Another 26M hack. @Truebitprtocol
I haven't decompiled the vulnerable code yet, but the root cause appears to be a mispriced minting function of its purchase contract that allows anyone to purchase TRU token at a very low price.
The first attacker (26M profit):… pic.twitter.com/qmoDB54I0w
— Weilin (William) Li (@hklst4r) January 8, 2026
$26.4M Drained in ETH
As per the on-chain data, the hacker divided 8,535 ETH in stolen funds across two wallets. One received around 4,267 ETH, while another collected around 4,001 ETH.
Once liquidity was removed, TRU’s market structure collapsed instantly. Before the exploit, TRU was trading near $0.16. However, it crashed more than 99% to around $0.00 after the case.
At the time of writing, TRU is trading around $0.034. The altcoin currently has nearly all market capitalization erased, according to CoinMarketCap data.
Truebit Team Responds
Truebit acknowledged the incident on X and stated that it is working with law enforcement to handle the situation. At the time of writing, no recovery plan or reimbursement details have been confirmed.
Today, we became aware of a security incident involving one or more malicious actors. The affected smart contract is 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2 and we strongly advise the public not to interact with this contract until further notice. We are in contact with law…
— Truebit (@Truebitprotocol) January 8, 2026
The incident marks the first major crypto hack of 2026, following a year that saw several DeFi exploits. In 2025, protocols like Balancer suffered major losses due to smart contract vulnerabilities.
next