A growing number of DeFi exploits are targeting an often-overlooked weakness: unverified smart contracts.
According to a new report from Chainalysis, attackers stole at least $36.7 million from four protocols over the past six months by exploiting vulnerabilities in contracts whose source code had never been publicly verified. The findings point to an emerging attack pattern in which threat actors reverse-engineer deployed bytecode to uncover flaws that remain hidden from auditors, bug bounty participants, and independent security researchers.
While the losses represent only a small portion of the more than $1 billion stolen from DeFi protocols during the same period, Chainalysis argues that the trend could accelerate as AI-powered tools make contract analysis faster and more scalable.
Four exploits accounted for $36.7M in losses
Chainalysis identified four major incidents involving protocol-owned contracts that were unverified on blockchain explorers at the time of exploitation.
The largest attack targeted the Ethereum-based protocol Truebit, which lost approximately $26.2 million in January. Other affected projects included Trusted Volumes, Aperture Finance, and Ekubo, bringing total losses to roughly $36.7 million.
According to the report, each exploited contract lacked publicly available source code, forcing attackers to rely on decompiled bytecode rather than original Solidity code. The vulnerabilities varied across protocols, ranging from integer overflow bugs and access-control failures to input-validation weaknesses and identity verification flaws.
Truebit exploit highlights risks of legacy code
The Truebit attack illustrates how older contracts can remain vulnerable for years without public scrutiny.
Chainalysis said the exploited contract had been deployed on Ethereum since 2021 and contained an integer overflow vulnerability within its bonding curve mechanism. Because the contract was compiled using Solidity v0.5.3, a version released before automatic overflow protections became standard, an attacker was able to manipulate calculations and mint large amounts of tokens at minimal cost before redeeming them for ETH.
The report also noted evidence suggesting the same attacker had previously tested similar techniques on smaller targets before carrying out the larger exploit.
Why attackers are targeting unverified contracts
Although closed-source contracts appear harder to analyze at first glance, Chainalysis argues they often receive less security oversight than verified deployments. Publicly verified contracts can be reviewed by auditors, independent researchers, and bug bounty participants, creating additional opportunities for vulnerabilities to be discovered before attackers find them. Unverified contracts lack that layer of community scrutiny.
Many bug bounty programs also exclude contracts that are not publicly verified, leaving significant portions of protocol infrastructure outside formal security review processes. As a result, vulnerabilities can remain undetected for extended periods while still controlling substantial amounts of user funds.
AI is lowering the barrier to smart contract analysis
Chainalysis highlighted advances in decompilation software and large language models as a key factor behind the trend. Tools such as Dedaub, Heimdall, and Panoramix can convert Ethereum bytecode into readable Solidity-like code. Once decompiled, that output can be analyzed by AI systems capable of identifying common vulnerabilities, including reentrancy flaws, arithmetic errors, and access-control weaknesses.
The report suggests attackers can increasingly automate the process of scanning large numbers of unverified contracts, prioritizing targets based on exploitability and potential returns. This reduces the time and expertise previously required to identify vulnerabilities in closed-source code.
Security recommendations for DeFi protocols
Chainalysis said protocols should treat source-code verification as a baseline security requirement for any contract responsible for holding or managing user assets. The firm also recommended extending audits and bug bounty coverage to all deployed contracts, including implementation contracts hidden behind proxy structures.
For teams that continue to deploy unverified contracts, the report emphasized the importance of real-time monitoring systems capable of detecting suspicious transactions and abnormal contract interactions before exploits escalate.
A growing threat across DeFi
Chainalysis believes the combination of unverified smart contracts, increasingly sophisticated decompilation tools, and AI-assisted vulnerability analysis is creating a new risk category for DeFi.
The report argues that relying on code secrecy is becoming less effective as attackers gain access to automated systems capable of analyzing smart contracts at scale. With millions of dollars still locked in unverified contracts across Ethereum and other EVM-compatible networks, the firm warns that such deployments may continue to attract attackers searching for overlooked vulnerabilities.
Also Read: Trillions of Tokens, $91K Gone: Stake DAO Details Arbitrum Exploit
