Attackers are increasingly turning their attention to a less visible corner of the decentralized finance (DeFi) ecosystem: unverified smart contracts. While most major DeFi protocols publicly verify their source code on blockchain explorers, allowing developers, researchers and users to scrutinize them, a number of projects continue to operate with closed-source contracts.
The approach is often intended to limit visibility into proprietary code, but it has also created a growing target for cybercriminals willing to reverse-engineer these contracts in search of vulnerabilities.
The trend has become more pronounced in recent months. According to Chainalysis data, attackers stole $36.7 million through four separate exploits involving unverified smart contracts over the past six months, exposing weaknesses that in some cases had remained undiscovered for years.
Although the figure represents only a small share of the more than $1 billion lost across the broader DeFi sector during the same period, security experts warn that advances in contract decompilation tools are making closed-source protocols increasingly vulnerable, raising questions about whether obscurity still offers meaningful protection.
Combined losses hit $36.7 million
Chainalysis identified five protocols over the last six months where the exploited smart contract — not an attacker-deployed contract, but the protocol’s own code — was unverified on the relevant block explorer at the time of the exploit. Combined losses totaled approximately $36.7 million.
In each case, the protocol contract was unverified on Etherscan and had no published source code associated with it. The analysis focused solely on protocol-owned or protocol-deployed contracts responsible for holding, managing, or controlling user funds.
On January 8, 2026, an attacker drained $26.2 million from Truebit, a tokenized asset protocol. The contract they targeted had been sitting on Ethereum since 2021, and its implementation had never been verified on Etherscan.
Why unverified contracts attract attackers
At first glance, unverified smart contracts may appear to be less attractive targets because their source code is not publicly available. However, advances in reverse-engineering tools and artificial intelligence are rapidly eroding that advantage.
Modern decompilers can convert EVM bytecode into readable Solidity-like code, while large language models can analyze that output for vulnerabilities such as reentrancy flaws, access control weaknesses and arithmetic errors. What once required a skilled reverse engineer days to investigate can now be automated across thousands of contracts, allowing attackers to systematically identify and prioritize high-value targets.
Unverified contracts also lack the informal security benefits that come with public scrutiny. Verified smart contracts are routinely examined by independent researchers, auditors and developers who may identify and report vulnerabilities before they can be exploited. By contrast, vulnerabilities in closed-source contracts remain largely hidden from the broader security community, making them less likely to be discovered by defenders and more likely to remain exploitable for longer periods.
Another factor is their exclusion from bug bounty programs. Several of the protocols affected by recent exploits maintained active bounty initiatives, yet the unverified contracts involved were explicitly outside the scope of those programs. As a result, ethical hackers had little incentive to investigate or disclose vulnerabilities, potentially leaving critical flaws undiscovered until they were exploited by attackers.
Implications and what protocols can do
The growing number of attacks against unverified smart contracts underscores the need for stronger security practices across the DeFi ecosystem. At a minimum, protocols should treat source code verification on blockchain explorers as a core security requirement for any contract that holds, manages, or controls user funds. This applies not only to user-facing contracts but also to implementation contracts operating behind proxy architectures, as several recent exploits targeted unverified implementations hidden behind otherwise verified proxy contracts.
Protocols should also ensure that security audits extend beyond planned code releases and cover the contracts actually deployed in production. Vulnerabilities can emerge when new contracts are introduced between audit cycles or when legacy components remain active without undergoing fresh security reviews. Similarly, bug bounty programs should be expanded to cover all contracts that secure user assets, regardless of whether they belong to a flagship product, a legacy deployment, or a newly launched feature. Excluding certain contracts from bounty scopes can leave critical vulnerabilities undiscovered and unreported.
As attackers increasingly leverage automated tools and AI-assisted analysis to identify weaknesses, real-time monitoring is becoming an essential layer of defense. Even when contracts remain unverified, on-chain security platforms can detect unusual transaction patterns, flag suspicious contract interactions and trigger automated mitigation measures before losses escalate. In an environment where exploits can unfold within minutes, continuous monitoring and rapid response capabilities are no longer optional but increasingly necessary to reduce risk and protect user funds.
Security through obscurity is no longer enough
The convergence of three factors — a growing inventory of unverified contracts on public blockchains, increasingly capable decompilation tools and AI models that can analyze bytecode at scale — suggests this trend will accelerate.
Anthropic’s research has demonstrated that AI agents can autonomously achieve millions of dollars in successful exploits against previously compromised smart contracts, including contracts deployed after the models’ knowledge cutoff.
This shift mirrors a broader trend across cybersecurity, where automated tools are enabling attackers to scan for and exploit vulnerabilities more efficiently than ever before. For blockchain networks such as Ethereum, Base, Arbitrum and BNB Chain, every unverified contract represents a potential target for large-scale automated analysis. As a result, relying on closed-source code as a security measure is becoming increasingly ineffective. For DeFi protocols, the lesson is clear: security through obscurity is no longer enough in an era of AI-powered vulnerability discovery.
