A growing number of crypto hackers are targeting unverified smart contracts, exploiting vulnerabilities hidden within closed-source code and stealing millions of dollars in the process.
According to a new security brief released by blockchain analytics firm Chainalysis, attackers have stolen approximately $36.7 million from five major decentralized finance (DeFi) protocols over the past six months by exploiting vulnerabilities in contracts whose source code was never publicly verified.
The findings suggest that advances in artificial intelligence and smart contract decompilation tools are making it easier than ever for attackers to reverse-engineer hidden code and identify exploitable weaknesses.
The four major exploits
Chainalysis identified four key incidents involving unverified protocol contracts between January and May 2026.
The largest attack targeted Truebit on January 8, resulting in losses of approximately $26.2 million. Investigators said the exploit stemmed from an integer overflow vulnerability inside the protocol’s bonding curve mechanism.
Other incidents included Trusted Volumes, which saw $5.9 million stolen through an access-control flaw. Aperture Finance: $3.2 million lost through an input validation bypass in January, and Ekubo saw $1.4 million stolen after a callback function failed to verify the payer’s identity in May.
In every case, the affected contracts were unverified on block explorers and lacked publicly available source code at the time of exploitation. Notably, this represents only a small portion of the more than $1 billion stolen from DeFi protocols during the same period, but the trend is what matters.
Truebit exploit highlights a growing threat
The Truebit attack has become one of the most notable examples of the trend.
According to Chainalysis, the vulnerable contract had been deployed since 2021 and remained unverified on Etherscan. Attackers allegedly exploited an integer overflow bug within the protocol’s pricing mechanism, allowing them to mint hundreds of millions of tokens for almost no cost before redeeming them for real ETH.
Investigators also discovered evidence suggesting the attacker had been systematically hunting vulnerable contracts before escalating to the multi-million-dollar exploit.
“This was not an opportunistic find,” Chainalysis noted, adding that the attacker appeared to be testing vulnerabilities across multiple protocols before executing the larger attack.
AI rewrites the economics of exploitation
Chainalysis argues that advances in artificial intelligence may be accelerating this trend. Modern decompilation tools can convert EVM bytecode into readable Solidity-like code. Once reconstructed, that code can be analyzed by large language models capable of identifying common vulnerability patterns, including reentrancy flaws, access-control failures, and arithmetic errors.
Researchers increasingly believe attackers are building automated pipelines capable of scanning thousands of contracts simultaneously and prioritizing targets based on exploitability and potential profit.
According to the report, what previously required days of manual reverse engineering can now be partially automated at scale.
Why attackers like unverified contracts
While unverified contracts require additional effort to analyze, they also offer significant advantages to attackers.
Unlike verified contracts, closed-source deployments receive little scrutiny from independent researchers, white-hat hackers, or competitive auditors. Many are also excluded from bug bounty programs, reducing the likelihood that vulnerabilities will be discovered and responsibly disclosed before exploitation.
As a result, attackers often face less competition when searching for exploitable flaws.
The report suggests that some protocols mistakenly assume hiding source code improves security, even as modern tooling continues to erode that advantage.
Recent exploits highlight broader security risks
The Chainalysis findings come amid a series of major crypto security incidents that have exposed vulnerabilities across smart contract and bridge infrastructure.
Earlier this week, Humanity Protocol disclosed that attackers compromised administrator keys controlling parts of its bridge system, stealing more than $36 million worth of H tokens and minting hundreds of millions of additional tokens on BNB Chain. The incident triggered a sharp selloff, with the H token losing roughly 80% of its value.
Meanwhile, Syscoin paused its bridge operations after a validation flaw allowed an attacker to create approximately 5 billion unauthorized SYS tokens. The project has since implemented a fix and coordinated with exchanges to track and restrict the affected funds.
While these incidents differ from the unverified smart contract exploits highlighted by Chainalysis, they demonstrate how weaknesses in smart contract infrastructure, bridge validation systems, and administrative controls continue to present significant security risks across the crypto ecosystem.
Chainalysis concludes that protocols should treat source code verification as a minimum security standard rather than an optional feature.
The firm recommends verifying all production contracts, expanding bug bounty coverage, auditing deployed code rather than development versions, and implementing real-time monitoring capable of detecting suspicious on-chain activity before losses escalate.
As AI-powered analysis tools continue improving, protocols relying on hidden code may increasingly find that secrecy alone is no longer enough to protect user funds.
Also read: Bleak May 2026: Over $60M Stolen, $20B TVL Melt, and DeFi’s “Unsafe” Reckoning
