Key facts
- Unverified DeFi contracts have been linked to at least $36.7 million in losses across four exploits since January.
- The largest exploit targeted Truebit, resulting in a $26.2 million loss due to an unverified contract.
- Attackers are increasingly exploiting protocols with unverified source code, which limits security researcher scrutiny.
- Advances in AI and decompilation tools are aiding attackers in identifying vulnerabilities in smart contracts.
- Chainalysis recommends source code verification, broader bug bounty coverage, and real-time monitoring as safeguards.
Unverified smart contracts have been linked to at least $36.7 million in losses across four decentralized finance (DeFi) exploits since January, according to a report by Chainalysis. Attackers are increasingly targeting protocols whose source code is not publicly available, a trend that is being amplified by advances in artificial intelligence and decompilation tools.
The largest incident involved Truebit, which lost $26.2 million after an attacker exploited an integer overflow vulnerability in a contract that had remained unverified on Ethereum since 2021. Other incidents affected Trusted Volumes, Aperture Finance, and Ekubo. In each case, the exploited contract's source code was not publicly available on a blockchain explorer, which limited scrutiny from security researchers and excluded them from many bug bounty programs.
Chainalysis attributes the growing trend to improved tools that can partially automate the process of reverse-engineering smart contract bytecode, a task that previously required significant time and expertise. The firm stated that protocols relying on hidden code are increasingly depending on "obscurity as a security measure," an approach that is rapidly losing effectiveness.
The report comes amid a broader rise in crypto exploits, with hackers stealing $629.7 million in April alone, the highest monthly total since February 2025. KelpDAO lost $293 million and Drift Protocol suffered a $280 million exploit during that month. Although losses decreased in May, the fallout from April's attacks continued, with the KelpDAO attacker reportedly laundering nearly all of the $220 million in unfrozen stolen funds.