Unverified Smart Contracts Increasingly Targeted In $36.7M Wave Of Crypto Exploits, Chainalysis Warns
In Brief
Chainalysis reports $36.7M stolen from unverified smart contracts in six months, as attackers exploit decompiled code and AI tools, highlighting rising risks in closed-source DeFi protocols.
Chainalysis, a blockchain data and analytics firm, has published a report indicating that at least $36.7 million was stolen over the past six months from cryptocurrency protocols whose smart contract source code was not publicly verified. The findings suggest that attackers targeted unverified contracts by reverse-engineering compiled bytecode in order to identify vulnerabilities, in some cases exploiting long-standing flaws.
The report situates these incidents within an ongoing debate in the crypto security sector regarding whether open-sourcing smart contract code improves security or inadvertently assists attackers by providing a clear view of system logic. While most major decentralized finance (DeFi) protocols publish and verify their source code on block explorers such as Etherscan, a subset of protocols continues to operate with closed-source contracts, limiting transparency for both attackers and legitimate security researchers.
According to the analysis, unverified smart contracts are not inherently immune to exploitation. Instead, they can be examined through decompilation techniques that reconstruct higher-level representations of bytecode. Chainalysis reported that over the six-month period, attackers successfully exploited several unverified contracts, resulting in cumulative losses of approximately $36.7 million across a small number of incidents. This figure remains significantly lower than the more than $1 billion reportedly stolen from verified contracts across a much larger set of protocols, according to DeFiLlama data; however, the report noted that attacks on unverified systems may increase as tooling improves.
The dataset focused on protocol-owned contracts responsible for managing or controlling user funds that were unverified at the time of exploitation. In each identified case, no publicly accessible source code was available on relevant block explorers, meaning attackers relied on reverse engineering techniques to understand contract behavior.
Reverse Engineering and Exploitation of Unverified Smart Contracts
A detailed case highlighted in the report involved the Truebit protocol, where approximately $26.2 million was drained in January 2026. The targeted contract, deployed on Ethereum in 2021, had never been verified on Etherscan. The system used a bonding curve mechanism allowing users to mint and redeem tokens against ETH.
The vulnerability was traced to an integer overflow in a pricing function, where arithmetic behavior in an older Solidity version allowed values to wrap incorrectly, enabling attackers to mint a large number of tokens at negligible cost before redeeming them for ETH. On-chain analysis also suggested the exploit was not isolated, with evidence indicating prior activity against other protocols and subsequent laundering of proceeds through privacy tools.
The report outlined several structural reasons why unverified contracts may attract attackers. One factor is the increasing effectiveness of automated decompilation tools, which can reconstruct readable code from bytecode. These outputs can then be processed by large language models capable of identifying common vulnerabilities such as reentrancy issues, access control failures, and arithmetic errors. When integrated into automated pipelines, such systems can scan large volumes of contracts and prioritize those with higher perceived exploitability, reducing the time required for vulnerability discovery.
Another contributing factor is the absence of community review. Verified contracts typically benefit from informal auditing by researchers, auditors, and developers who review open code as part of broader ecosystem activity. Unverified contracts lack this layer of scrutiny, meaning vulnerabilities may remain undetected until exploitation occurs. In addition, some bug bounty programs explicitly exclude unverified deployments from coverage, further reducing incentives for external review.
The report also outlined mitigation approaches for protocols, including routine source code verification for all production contracts, comprehensive auditing of deployed code rather than intended implementations, and expanded bug bounty coverage for all user-facing contracts regardless of verification status. It further emphasized the importance of real-time monitoring systems capable of detecting anomalous on-chain behavior, particularly in environments where rapid exploitation can occur within minutes.
Looking ahead, Chainalysis suggested that the combination of growing volumes of unverified contracts, improved decompilation tools, and increasingly capable AI-driven analysis systems could accelerate the trend of automated exploitation. The report referenced broader research indicating that AI systems are already capable of assisting in the identification of vulnerabilities and, in some cases, executing exploit strategies against vulnerable smart contracts.
The findings place unverified smart contracts within a broader shift in software security, where automated tools are increasingly used both to discover and exploit vulnerabilities at scale. In this environment, the report concluded that reliance on obscurity in smart contract design is becoming less effective as a security measure, particularly as automated analysis pipelines continue to mature.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
