defirisk.co
rubric v1.7.0

Truebit: Integer Overflow in Unverified Bytecode / Bonding Curve Exploit

Truebit's 5-year-old unverified contract — with a publicly flagged "rug zone" bonding curve and an exploit function literally named "Attack" — was finally drained for $26.2M by the same wallet that hit Sparkle protocol 12 days earlier.

Occurred 2026-01-08 Loss $26M Status closed

Summary #

Truebit suffered a Layer 2 / Compute Verification Protocol (with token bonding curve) on 2026-01-08, resulting in a loss of approximately $26M.

What happened #

Truebit's 5-year-old unverified contract — with a publicly flagged "rug zone" bonding curve and an exploit function literally named "Attack" — was finally drained for $26.2M by the same wallet that hit Sparkle protocol 12 days earlier.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]