Top 3 DeFi Incidents in January
Truebit Protocol: ~$26M
On January 8, 2026, Truebit Protocol on Ethereum was exploited, resulting in approximately $26 million in losses.
The root cause was an integer overflow vulnerability in the TRU token purchase pricing function. The contract was compiled with Solidity v0.6.10, which does not enforce overflow checks by default. The attacker crafted input parameters that caused a large intermediate value in the purchase cost calculation to overflow and wrap around to a much smaller number. This allowed the attacker to purchase large amounts of TRU tokens at minimal or even zero ETH cost.
The attacker performed multiple rounds of arbitrage within a single attack transaction, repeatedly executing buy and sell operations on TRU tokens. Notably, the protocol had intentionally designed pricing asymmetry between buying and selling to prevent immediate buy-sell arbitrage. However, the vulnerable contract was deployed using an outdated Solidity version without overflow protection, exposing the attack surface and ultimately leading to the draining of 8,535 ETH from protocol reserves.
SwapNet & Aperture: ~$17M
On January 25, 2026, SwapNet and Aperture Finance suffered attacks stemming from a shared vulnerability, resulting in approximately $17 million in total losses. The attack significantly impacted Matcha Meta users, with affected funds exceeding $13 million.
Although both affected contracts were closed-source, the attack paths could be reconstructed by analyzing decompiled bytecode alongside on-chain transaction traces. The root cause was insufficient validation on crucial user inputs within vulnerable functions, allowing attackers to execute arbitrary calls with malicious parameters. In a series of attack transactions, attackers constructed ERC20 transferFrom() invocations to drain tokens from users who had previously granted token allowances to the vulnerable contracts.
Both protocols involved in this attack did not open-source their code, making it difficult for the community to identify security vulnerabilities through public review. Meanwhile, the allowance-based attack approach serves as a wake-up call for the industry: users must carefully manage their token allowances, while protocols should implement protective mechanisms such as time-locked or capped approvals to fundamentally mitigate the risks of such attacks.
Learn more details about the incident
Saga: ~$7M
On January 21, 2026, SagaEVM in the Saga ecosystem was exploited, resulting in unauthorized token minting and a loss of approximately $7 million.
While the root cause has not yet been fully disclosed, official sources have confirmed that a shared vulnerability in Ethermint and CosmosEVM code, which was inherited by SagaEVM—led to the attack. The attacker deployed malicious smart contracts to execute the exploit, minting a substantial amount of Saga Dollars. Following the successful attack, nearly all stolen funds was swiftly transferred to the Ethereum network via cross-chain bridges.
This incident highlights the risks of code inheritance in blockchain ecosystems. When vulnerabilities exist in foundational codebases, all projects inheriting that code may face the same threats, creating cascading security vulnerabilities.
The information above is based on data as of 00:00 UTC, January 31, 2026.
This concludes the January security incidents brief.
You can learn more in our Security Incidents Library.
Stay informed and stay secure!
