A crypto hacker who drained $26 million from Ethereum-based protocol Truebit in January had likely practiced the technique on smaller targets first, according to blockchain analytics firm Chainalysis.

A Contract Left Exposed For Years

The Truebit exploit was the largest of four incidents Chainalysis identified in a new report covering the past six months. Together, those attacks — targeting Truebit, Trusted Volumes, Aperture Finance, and Ekubo — account for roughly $37 million in losses, all traced back to contracts whose source code had never been publicly verified on blockchain explorers.

The Truebit contract had been sitting on Ethereum since 2021. It was compiled using Solidity v0.5.3, a version released before automatic overflow…