The exploit targeted an older smart contract—specifically a flaw in the getPurchasePrice function that returned a zero price for large mint amounts.
Yeah, you read that right. Free tokens. The attacker basically found a way to mint TRU tokens for nothing, then sold them back to the protocol for ETH. Rinse and repeat until the treasury was gutted. One transaction was literally labeled “Attack.” Not exactly subtle.
To guarantee success, the hacker paid MEV bribes to miners, front-running any potential fixes. Smart, but cold-blooded. The ETH reserves backing TRU liquidity were decimated, leaving the protocol financially hobbled.
The cleanup operation was just as methodical. About half the stolen ETH—a cool $13 million—was quickly routed through Tornado Cash, the mixer of choice for crypto criminals. The laundering started almost immediately, suggesting this wasn’t some kid who stumbled into an exploit. This was planned. The security firm PeckShield confirmed that the flaw existed in the minting function, allowing the attacker to exploit the contract with impunity.
Stolen funds hit Tornado Cash faster than you can say “premeditated.” This wasn’t amateur hour—this was a criminal masterclass.
Market reaction? Total bloodbath. TRU plummeted from $0.16 to practically nothing—we’re talking $0.0000000029. That’s nine zeros. Users were strongly advised to avoid interacting with the contract at address 0x764C64b2A09b09Acb100B80d8c505Aa6a0302EF2. Holders panicked, selling drove prices lower, and suddenly TRU was competing for 2026’s most spectacular token collapse. This incident highlights why investors should implement robust internal controls when dealing with smart contract interactions to protect against similar exploits.
While Truebit promises they’re working with law enforcement, the damage is done. The protocol’s reputation is in tatters. Their ETH reserves? Gone. Their token? Worthless.
And somewhere, a hacker with $26 million is probably laughing all the way to their hardware wallet.
