Blockchain analytics firm Chainalysis released a report on June 9, documenting that between January and May, at least $36.7 million was stolen from protocols whose original code was never publicly verified on a block explorer, involving 4 attacks and 5 protocols. In all cases, the attackers found the vulnerabilities by decompiling the original bytecode (rather than reading publicly available source code).
Four Attack Cases: Loss Amounts, Dates, and Confirmed Vulnerability Types
According to the Chainalysis report, the confirmed data for the five attacked protocols is as follows:
Truebit: $26.2 million, January 8, 2026, on Ethereum; integer overflow in the getPurchasePrice() function (Solidity v0.5.3; this version lacks automatic overflow protection)
Trusted Volumes: $5.9 million, May 7, 2026, on Ethereum; access control vulnerability in the RFQ exchange proxy program
Aperture Finance: $3.2 million, January 25, 2026, on Ethereum; bypassing input validation via transferFrom
(Source: Chainalysis)
Ekubo: $1.4 million, May 5, 2026, on Ethereum; rollback logic not verifying the identity of the payer
Chainalysis confirmed that, at the time of the attacks, the relevant contracts of all the above protocols were not verified on Etherscan or other block explorers, and there was no publicly associated source code.
Truebit Case Details: Contracts Deployed in 2021; On-Chain Records Show Systematic Attack Behavior
Chainalysis’ Reactor chart analysis shows that the attacker address involved in the Truebit attack (January 8, 2026; loss of $26.2 million) had stolen 5 ETH from the Sparkle protocol twelve days earlier.
The report confirms that the address systematically searched for vulnerabilities in both verified and unverified contracts—gradually escalating from an initial small target to a final large-scale attack. The funds obtained from both attacks were laundered through Tornado Cash. The Truebit-attacked contract was deployed on Ethereum starting in 2021 and has never had its original code verified on Etherscan.
Three Security Gaps in Unverified Contracts: Defense Mechanisms Confirmed as Failing by Chainalysis
Chainalysis’ report confirms that when a protocol chooses to deploy in a closed-source manner, the following three traditional security layers lose their effectiveness in tandem:
White-hat research review fails: with no publicly readable source code, security researchers cannot identify and report vulnerabilities
Bug bounty program exclusion: unverified contracts are typically explicitly excluded from major bug bounty programs
Community-driven reporting fails: in an open review environment without source code, the community cannot proactively identify security issues
Chainalysis’ report confirms that for protocols deploying unverified contracts, real-time on-chain monitoring is currently the only protective measure that can replace the failure of the above mechanisms.
Common Questions
What are the core security differences between unverified and verified smart contracts?
For verified contracts, the original source code can be publicly read on block explorers such as Etherscan, allowing security researchers to directly identify vulnerabilities and submit reports. Unverified contracts only publicly expose compiled bytecode; both security researchers and attackers must use decompilation tools for reverse engineering. Unverified contracts are also typically excluded from major bug bounty programs.
How does the $36.7 million recorded by Chainalysis compare with overall DeFi losses?
According to the Chainalysis report, $36.7 million is one standalone subcategory within the $1 billion+ total losses recorded by DeFiLlama for 88 DeFi protocols in the same period. Most of the attacked protocols recorded by DeFiLlama have verified smart contracts. Attacks on unverified contracts constitute a unique attack pattern and should not be directly compared to broader DeFi security statistics.
What specific security recommendations does Chainalysis have for unverified-contract protocols?
The only specific recommendation confirmed by the Chainalysis report is deploying real-time on-chain monitoring to replace the failure functions of traditional security ecosystems for unverified contracts. The report does not provide specific monitoring tool recommendations, implementation standards, or timing guidance.
