Chainalysis: Unverified Smart Contracts Tied to $36.7 Million in DeFi Exploit Losses

Unverified smart contracts were linked to at least $36.7 million in losses across four DeFi exploits over the past six months, as attackers increasingly target protocols whose source code is not publicly available, Chainalysis reported. According to Cointelegraph, the largest incident involved Truebit, which lost $26.2 million after an attacker exploited an integer overflow vulnerability in a contract that had remained unverified on Ethereum since 2021. Chainalysis said the other incidents involved Trusted Volumes, Aperture Finance and Ekubo, and that in each case the exploited contract had not been verified on a blockchain explorer, leaving its source code unavailable for public review. The firm said this reduced scrutiny from security researchers and excluded the contracts from many bug bounty programs despite the contracts controlling user funds.

Chainalysis attributed the growing focus on unverified contracts partly to advances in decompilation tools and artificial intelligence, which can help attackers reverse-engineer smart contract bytecode and identify vulnerabilities even when source code is hidden. The report said tasks that once required a skilled reverse engineer spending days on a single contract can now be partially automated across large numbers of unverified contracts. Chainalysis also challenged the DeFi assumption that keeping code private adds security, arguing that protocols are increasingly relying on obscurity as a security measure and that this approach is losing effectiveness. As safeguards, the firm recommended verifying source code, expanding bug bounty coverage, and deploying real-time monitoring tools.

The findings come as broader crypto exploit activity remains elevated. According to DeFiLlama, hackers stole $629.7 million in April alone, the highest monthly total since February 2025, with KelpDAO losing $293 million and Drift Protocol suffering a $280 million exploit, together accounting for more than 80% of the month’s stolen funds. Losses fell in May, with CertiK reporting $68.3 million stolen from cryptocurrency exploits, but the fallout from April continued. In June, blockchain intelligence platform Arkham reported that the attacker behind the KelpDAO exploit had laundered nearly all of the roughly $220 million in unfrozen stolen funds. The KelpDAO incident also led several DeFi protocols to review security infrastructure, including Solv Protocol, which announced plans to migrate to Chainlink’s crosschain infrastructure following internal security reviews. Separately, this month Anthropic said 560 of the 832 accounts it banned for policy violations over a one-year period had used AI to help prepare cyberattacks, including writing malware and identifying vulnerabilities.