Trade
Basic
Futures
Futures
Hundreds of contracts settled in USDT or BTC
Options
HOT
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Futures Kickoff
Get prepared for your futures trading
Futures Events
Participate in events to win generous rewards
Demo Trading
Use virtual funds to experience risk-free trading
Earn
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Launchpad
Be early to the next big token project
Alpha Points
NEW
Trade on-chain assets and enjoy airdrop rewards!
Futures Points
NEW
Earn futures points and claim airdrop rewards
Investment
Simple Earn
Earn interests with idle tokens
Auto-Invest
Auto-invest on a regular basis
Dual Investment
Buy low and sell high to take profits from price fluctuations
Soft Staking
Earn rewards with flexible staking
Crypto Loan
0 Fees
Pledge one crypto to borrow another
Lending Center
One-stop lending hub
VIP Wealth Hub
Customized wealth management empowers your assets growth
Private Wealth Management
Customized asset management to grow your digital assets
Quant Fund
Top asset management team helps you profit without hassle
Staking
Stake cryptos to earn in PoS products
Smart Leverage
NEW
No forced liquidation before maturity, worry-free leveraged gains
GUSD Minting
Use USDT/USDC to mint GUSD for treasury-level yields
More
Trending Topics
View More12.67K Popularity
17.24K Popularity
55.57K Popularity
14.95K Popularity
94.24K Popularity
Pin
On January 9th early morning, a previously undisclosed contract deployed by Truebit Protocol was successfully exploited by an attacker, resulting in a loss of 8,535.36 ETH, equivalent to approximately $26.4 million. The security team conducted an in-depth investigation and analysis of the incident.
Attack Process Breakdown
Main attack transaction hash: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014
The attacker’s steps are quite clear:
First, call the getPurchasePrice() function to query price information. Then, move to the core vulnerability—call the flawed function 0xa0296215() with a very low msg.value. Since the contract source code is not public, decompilation results show that this function has an arithmetic logic vulnerability, likely due to improper integer truncation. Because of this, the attacker was able to mint a large amount of TRU tokens out of thin air.
Next is the cash-out phase. The attacker uses the burn function to "sell" the minted tokens back to the contract, extracting a large amount of ETH. This process was repeated 4 times, each time increasing the msg.value, ultimately nearly draining the contract’s ETH reserves.
Funds Chain Tracking
Based on on-chain data, the team used blockchain investigation and tracking tools to trace the flow of the stolen funds… (The original text does not provide further details)