Unverified smart contracts have become a major target for attackers, with at least $36.7 million in losses across four DeFi exploits over the past six months. According to blockchain intelligence firm Chainalysis, protocols that keep their source code hidden from public view are increasingly vulnerable to sophisticated attacks, even though many believed secrecy would provide additional protection.

What Are Unverified Smart Contracts and Why Do They Matter?

A smart contract is a self-executing program that runs on a blockchain. When developers verify a contract, they publish its source code on a blockchain explorer, allowing security researchers and the public to review it for vulnerabilities. Unverified contracts keep this code hidden, relying on obscurity as a security measure. However, this approach is rapidly losing effectiveness as attackers gain new tools to break through that obscurity.

The largest incident in Chainalysis's report involved Truebit, which lost $26.2 million after an attacker exploited an integer overflow vulnerability in a contract that had remained unverified on Ethereum since 2021. Three other protocols suffered similar attacks: Trusted Volumes, Aperture Finance, and Ekubo. In each case, the hidden code meant limited scrutiny from security researchers and exclusion from many bug bounty programs, despite these contracts controlling user funds.

How Are Attackers Reverse-Engineering Hidden Code?

The shift toward targeting unverified contracts reflects advances in decompilation tools and artificial intelligence. Decompilation is the process of converting compiled code back into a readable form. What once required a skilled reverse engineer spending days on a single contract can now be partially automated across large numbers of unverified contracts, according to Chainalysis. This democratization of attack capability means more threat actors can identify vulnerabilities without needing specialized expertise.

The report challenges a longstanding assumption in decentralized finance (DeFi), a sector where financial applications run on blockchains without traditional intermediaries. Chainalysis noted that protocols relying on hidden code are increasingly depending on "obscurity as a security measure," an approach the company said is rapidly losing effectiveness. This finding suggests that the traditional security principle of "security through obscurity" no longer holds in the age of AI-powered code analysis.

Chainalysis

How to Protect DeFi Protocols From Unverified Contract Exploits

• Source Code Verification: Make smart contract code publicly available on blockchain explorers so security researchers can review it for vulnerabilities before attackers discover them.
• Broader Bug Bounty Coverage: Expand bug bounty programs to include all contracts controlling user funds, not just verified ones, incentivizing security researchers to find and report vulnerabilities responsibly.
• Real-Time Monitoring Tools: Deploy continuous monitoring systems that track contract behavior and flag suspicious activity, allowing teams to respond to attacks faster.

Chainalysis recommended these three safeguards as essential defenses against future exploits targeting unverified contracts.

What Broader Trends Are Driving DeFi Security Concerns?

The unverified contract problem arrives amid a broader surge in crypto exploits. According to DeFiLlama, a data platform tracking decentralized finance, hackers stole $629.7 million in April alone, the highest monthly total since February 2025. Two incidents accounted for most of the losses: KelpDAO lost $293 million and Drift Protocol suffered a $280 million exploit, together representing more than 80 percent of the month's stolen funds.

Although losses fell sharply in May, with security firm CertiK reporting $68.3 million stolen from cryptocurrency exploits, the fallout from April's largest attacks continued. In June, blockchain intelligence platform Arkham reported that the attacker behind the KelpDAO exploit had laundered nearly all of the roughly $220 million in unfrozen stolen funds, demonstrating how quickly attackers can move stolen assets through mixing services and exchanges.

The KelpDAO exploit also prompted several DeFi protocols to review their security infrastructure. Projects including Solv Protocol announced plans to migrate to Chainlink's crosschain infrastructure following internal security reviews. Chainlink is a decentralized oracle network that provides external data to smart contracts, and its crosschain services allow assets to move securely between different blockchains.

Beyond DeFi exploits, the broader cybersecurity landscape shows how attackers are leveraging artificial intelligence. This month, AI research company Anthropic reported that 560 of the 832 accounts it banned for policy violations over a one-year period had used AI to help prepare cyberattacks, including writing malware and identifying vulnerabilities. This trend underscores how AI tools are lowering the barrier to entry for attackers across all sectors, not just crypto.

The convergence of unverified contracts, advanced decompilation tools, and AI-powered vulnerability discovery suggests that DeFi security will remain a critical challenge. Protocols that continue to rely on code obscurity rather than transparent verification and robust monitoring may face increasing risk as attacker capabilities continue to evolve.