Unverified Smart Contracts Increasingly Targeted In $36.7M Wave Of Crypto Exploits, Chainalysis Warns

Chainalysis, a blockchain data and analytics firm, has published a report indicating that at least $36.7 million was stolen over the past six months from cryptocurrency protocols whose smart contract source code was not publicly verified. The findings suggest that attackers targeted unverified contracts by reverse-engineering compiled bytecode in order to identify vulnerabilities, in some cases exploiting long-standing flaws.

The report situates these incidents within an ongoing debate in the crypto security sector regarding whether open-sourcing smart contract code improves security or inadvertently assists attackers by providing a clear view of system logic. While most major decentralized finance (DeFi) protocols publish and verify their source code on block explorers such as Etherscan, a subset of protocols continues to operate with closed-source contracts, limiting transparency for both attackers and legitimate security researchers.

According to the analysis, unverified smart contracts are not inherently immune to exploitation. Instead, they can be examined through decompilation techniques that reconstruct higher-level representations of bytecode. Chainalysis reported that over the six-month period, attackers successfully exploited several unverified contracts, resulting in cumulative losses of approximately $36.7 million across a small number of incidents. This figure remains significantly lower than the more than $1 billion reportedly stolen from verified contracts across a much larger set of protocols, according to DeFiLlama data; however, the report noted that attacks on unverified systems may increase as tooling improves.

The dataset focused on protocol-owned contracts responsible for managing or controlling user funds that were unverified at the time of exploitation. In each identified case, no publicly accessible source code was available on relevant block explorers, meaning attackers relied on reverse engineering techniques to understand contract behavior.

Reverse Engineering and Exploitation of Unverified Smart Contracts

A detailed case highlighted in the report involved the Truebit protocol, where approximately $26.2 million was drained in January 2026. The targeted contract, deployed on Ethereum in 2021, had never been verified on Etherscan. The system used a bonding curve mechanism allowing users to mint and redeem tokens against ETH.

The vulnerability was traced to an integer overflow in a pricing function, where arithmetic behavior in an older Solidity version allowed values to wrap incorrectly, enabling attackers to mint a large number of tokens at negligible cost before redeeming them for ETH. On-chain analysis also suggested the exploit was not isolated, with evidence indicating prior activity against other protocols and subsequent laundering of proceeds through privacy tools.

The report outlined several structural reasons why unverified contracts may attract attackers. One factor is the increasing effectiveness of automated decompilation tools, which can reconstruct readable code from bytecode. These outputs can then be processed by large language models capable of identifying common vulnerabilities such as reentrancy issues, access control failures, and arithmetic errors. When integrated into automated pipelines, such systems can scan large volumes of contracts and prioritize those with higher perceived exploitability, reducing the time required for vulnerability discovery.

Another contributing factor is the absence of community review. Verified contracts typically benefit from informal auditing by researchers, auditors, and developers who review open code as part of broader ecosystem activity. Unverified contracts lack this layer of scrutiny, meaning vulnerabilities may remain undetected until exploitation occurs. In addition, some bug bounty programs explicitly exclude unverified deployments from coverage, further reducing incentives for external review.

The report also outlined mitigation approaches for protocols, including routine source code verification for all production contracts, comprehensive auditing of deployed code rather than intended implementations, and expanded bug bounty coverage for all user-facing contracts regardless of verification status. It further emphasized the importance of real-time monitoring systems capable of detecting anomalous on-chain behavior, particularly in environments where rapid exploitation can occur within minutes.

Looking ahead, Chainalysis suggested that the combination of growing volumes of unverified contracts, improved decompilation tools, and increasingly capable AI-driven analysis systems could accelerate the trend of automated exploitation. The report referenced broader research indicating that AI systems are already capable of assisting in the identification of vulnerabilities and, in some cases, executing exploit strategies against vulnerable smart contracts.

The findings place unverified smart contracts within a broader shift in software security, where automated tools are increasingly used both to discover and exploit vulnerabilities at scale. In this environment, the report concluded that reliance on obscurity in smart contract design is becoming less effective as a security measure, particularly as automated analysis pipelines continue to mature.

The post Unverified Smart Contracts Increasingly Targeted In $36.7M Wave Of Crypto Exploits, Chainalysis Warns appeared first on Metaverse Post.