The SlowMist blockchain security outfit shared its report of the audit on the hack that drained $26 million from the Truebit Protocol. According to the report , the root cause of the attack was that the addition operation in the numerator of the Purchase contract’s price calculation did not use the SafeMath library for overflow protection. How did the Truebit hack happen? SlowMist’s audit report revealed that Truebit’s contract was reportedly compiled with Solidity 0.6.10, and the native + operator does not include overflow checks. The attacker was able to wreak so much havoc by crafting a specific minting amount, which triggered the addition operation to exceed the maximum value of uint256 and wrap around. The function made the Price = 0, enabling near-zero-cost token minting and arbitrage, which the hacker quickly took advantage of to drain 8,535 ETH (~$26.44 million). The report ended with advice from the SlowMist team. “The SlowMist security team recommends that for contracts compiled with Solidity versions below 0.8.0, developers should ensure that all arithmetic operations are protected using the SafeMath library to prevent logic vulnerabilities caused by integer overflows,” it read. The Truebit team has acknowledged the hack , identifying the affected smart contract and advising the public to avoid interacting with it until further notice. “We are in contact with law enforcement and taking all available measures to address the situation. We will share updates through our official channels as they become available,” they claimed. One day later, the team claimed to be working hard to address the incident and that it had “engaged additional resources to strengthen tracing and recovery,” while promising updates through official channels. In the comments section of the post, community members offered various next steps to the team, with a majority claiming the protocol had become unusable, that it was unlikely they would recover the funds, and needed to admit that. Commentators have noted that full recovery could be impossible. The $TRU token is still down 100% with zero percentage change and virtually no trading volume reported across major platforms since the hack, which reflects a complete lack of faith in the potential of the project to bounce back. Truebit hack gave Uniswap brief boost Cryptopolitan reported on January 8 that Uniswap recorded over $1.4 million in daily trading fee capture revenue, the highest the platform has ever recorded since it was established. However, that record number came with a caveat. According to a Dune dashboard created by an analyst named Marcov, nearly $1.3 million of those fees came directly from trades related to Truebit’s TRU token. Marcov has now filtered out those values from the live dashboard because the token value has dropped to zero and won’t be claimed and used to burn UNI. If you're reading this, you’re already ahead. Stay there with our newsletter .
