Obfuscation Alone Won't Hide Your Bug-Soup Anymore — Chainalysis Logs $36.7M Lost to Unverified DeFi Contracts

Attackers drained at least $36.7 million from four Decentralized Finance protocols running unverified smart contracts over the past six months, according to a report from Chainalysis, with the firm linking the trend to AI-assisted exploit pipelines that can decompile and triage closed-source code at scale. The largest incident occurred on January 8, when an attacker exploited an integer overflow vulnerability in a Truebit contract that had remained unverified on Ethereum ($ETH) since 2021, minting tokens for almost nothing and burning them for real ETH in a $26.2 million drain. The other incidents involved Trusted Volumes, Aperture Finance and Ekubo, with each exploited contract excluded from public source-code review and many of the underlying protocols' bug bounty programs. Chainalysis noted that five protocols saw exploits on unverified smart contracts, and that the same Truebit-linked address had drained 5 ETH from the Sparkle protocol twelve days before the larger attack, with proceeds from both exploits laundered through Tornado Cash.

Chainalysis attributed the rise to advances in decompilation tools and artificial intelligence, citing decompilers including Dedaub, Heimdall and Panoramix that convert raw bytecode into readable Solidity, which is then fed into large language models to flag reentrancy bugs, access control gaps and arithmetic errors. "What once required a skilled reverse engineer spending days on a single contract can now be partially automated across an entire blockchain's unverified contract inventory. Attackers operating these pipelines gain a structural advantage: they can cover far more ground than the defenders monitoring for suspicious activity," Chainalysis said. The firm recommended source code verification, broader bug bounty coverage and real-time monitoring tools as safeguards.

The report arrives against a backdrop of elevated crypto theft. DeFiLlama data shows hackers stole $629.7 million in April, the highest monthly total since February 2025, with KelpDAO losing $293 million and Drift Protocol losing $280 million in two incidents that together accounted for more than 80% of the month's stolen funds. May losses fell sharply, with CertiK reporting $68.3 million stolen from cryptocurrency exploits, while in June Arkham reported that the KelpDAO attacker had laundered nearly all of the roughly $220 million in unfrozen stolen funds. The KelpDAO exploit also prompted DeFi protocols including Solv Protocol to announce plans to migrate to Chainlink's crosschain infrastructure following internal security reviews. Anthropic has separately said AI can now perform advanced attack steps for low-skilled hackers, further contributing to the structural shift Chainalysis describes.