Truebit Protocol experienced a serious security incident on January 8, 2026. According to the analysis report by security firm SlowMist, the attack originated from a critical vulnerability in the Purchase contract.

Specifically, the issue was in the price calculation module. Due to the use of Solidity version 0.6.10, which lacks built-in overflow protection mechanisms, the contract was at risk of integer overflow during addition operations. The attacker exploited this by carefully constructing a series of extreme minting operations. By inputting abnormally large minting amounts, they caused the contract's price calculation to drop directly to zero.

With the zero-price vulnerability, subsequent arbitrage became trivial. The attacker repeatedly executed a "mint—burn" cycle, profiting at no cost each time. This process continued until the contract's reserve pool was completely drained. According to statistics, the hacker gained approximately 8,535 ETH from this attack.

This incident serves as a reminder to developers that extreme caution must be exercised when handling integer operations. Even seemingly simple addition operations require explicit safety measures before automatic checks were introduced in higher versions of Solidity. For DeFi projects, the price calculation logic is of utmost importance— a tiny computational error can escalate into significant economic losses.