In the past six months, at least $36.7 million has been stolen from protocols whose source code was never publicly verified on block explorers like Etherscan. Attackers reverse-engineered raw bytecode to find vulnerabilities, a trend accelerated by AI-assisted exploit development. Despite holding significant user funds, unverified contracts escape community scrutiny and bug bounties, making them attractive targets. Key cases include Truebit ($26.2M, integer overflow), Trusted Volumes ($5.9M, access control), Aperture Finance ($3.2M, input validation), and Ekubo ($1.4M, callback flaw). The rise of decompilers and LLMs enables automated vulnerability scanning at scale, creating an asymmetric advantage for attackers. Protocols are urged to verify all contracts, extend bug bounty scope, and implement real-time monitoring as unverified contracts become prime targets.

Key facts

• $36.7M stolen from four unverified contracts in six months
• AI-assisted decompilation enables automated vulnerability hunting at scale
• Unverified contracts lack community oversight and bug bounty coverage
• Truebit lost $26.2M due to an integer overflow in an unverified bonding curve
• Attackers systematically hunt across verified and unverified contracts