On the same timeline, two dangerous curves are intersecting: on one side is the battlefield of "unverified smart contracts" depicted in Chainalysis's latest report—attackers, empowered by AI tools (including large language models), can systematically exploit vulnerabilities and perform bulk scanning of on-chain targets even if they can only see the bytecode. According to the report, in the past six months, at least four DeFi protocols, including Truebit, Trusted Volumes, Aperture Finance, and Ekubo, which adopted unverified contracts, have fallen victim, suffering a cumulative loss of approximately 36.7 million dollars, becoming representative samples of this trend. On the other side is the security attack recently encountered by Humanity: after confirming the incident, the project party immediately disclosed the attacker's address and built a real-time tracking page, synchronizing the relevant transfer paths to several centralized and decentralized platforms, while announcing a recovery plan for affected users, offering a total bounty of 1 million USDT to solicit any clues that may help recover the stolen funds, and committing that if successful, the funds will be used to repurchase token H; as the technical causes and exact losses are still to be confirmed, this bounty and tracking action itself has already outlined the current security landscape of the crypto world clearly enough—one end is the AI offense and defense around code and unverified contracts, while the other end is the game of keys, operations, and recovery, together forming a "dual battlefield of contract security and private key security."
AI assists hackers, unverified contracts become new prey
On this "contract security front," the first breach actually comes from those unverified smart contracts that mistakenly believe they are hidden from view. The so-called unverified smart contracts refer to contracts whose source code has not been publicly verified on-chain or on mainstream block explorers, making it impossible for external security teams and communities to read and review their logic line by line; they can only see the cold bytecode. This practice cuts off the collaboration of conventional audits and community reviews but does not truly prevent prepared attackers, as the latter can also obtain bytecode but just use a different set of tools to strike.
Chainalysis pointed out in its latest report that the attacker's toolbox is being transformed by AI: they no longer rely on publicly available source code but use the raw bytecode of unverified contracts as input, utilizing decompilation tools and large language models for pattern recognition and systematic vulnerability mining. In the past six months, at least four DeFi protocols—Truebit, Trusted Volumes, Aperture Finance, and Ekubo—whose core logic relies on unverified contracts have been compromised in succession, accumulating losses of approximately 36.7 million dollars, becoming typical samples under this trend. The old idea of "code not being public means it is safer" has been reversed in the AI era, turning into a blind spot for the defenders: the defending side loses advance warning from the community and third parties, while the attackers, with algorithmic assistance, speed up the deconstruction of bytecode; the thicker the black box, often, only makes it harder for the defenders to see the risks themselves.
The commonality of DeFi attacks from Truebit to Ekubo
If we place Truebit, Trusted Volumes, Aperture Finance, and Ekubo on the same timeline, it is difficult to regard them as four unrelated incidents. According to Chainalysis's report, in the past six months, these four DeFi protocols, all using unverified smart contracts, have been successively compromised, accumulating losses of approximately 36.7 million dollars and being explicitly categorized as representative samples under the same attack trend: core business logic encapsulated in unverified contracts, source codes not verified on public platforms, preventing external security teams and communities from "picking apart the code" in advance while attackers can continuously hypothesize against the bytecode on-chain, searching for an execution path capable of breaching the defenses.
In terms of outcomes, these events convey not a signal of "individual project negligence" but rather a nascent structural contradiction: on one side, DeFi projects opting to accommodate more complex business processes and maintain rapid iteration choose to keep key contracts in an unverified state for extended periods; on the other side, attackers, empowered by tools like AI, prioritize unverified contracts as high-value targets for initial investigations. The commonality among Truebit, Trusted Volumes, Aperture Finance, and Ekubo is a concentrated manifestation of this misalignment—complex logic coupled with unverified shells becomes the focal point of attack paths, and shifts the question of "whether to verify contracts" from compliance to a life-or-death boundary issue, which is something all subsequent DeFi projects will find hard to avoid.
Humanity attacked: the second battlefield beyond code
At the same stage when unverified contracts took the spotlight, the incident involving Humanity shone the light on another defense line—not that the contract itself was pointed out as having vulnerabilities, but closer to key management, device, and operational process, an entire "off-chain" attack surface. The official has currently only confirmed that a security attack occurred, but the specific time of occurrence, intrusion path, and technical causes have not yet been publicly clarified; this information vacuum itself exposes the project's pressure on operational and security communication: when you cannot even specify whether it is a contract logic issue, a private key leak, or the operational end device being compromised, the market will automatically inflate its imagination about risks.
Unlike some projects that choose to minimize noise after an incident, Humanity promptly provided a clear on-chain anchor point after confirming the attack: marking and publicly disclosing the attacker's address, synchronizing the downstream transfer paths of that address to several centralized and decentralized trading platforms and aggregators, and stating that it has launched a real-time tracking page around that address and related capital flows, facilitating the community to keep monitoring. This means that even if the technical review has not yet been completed, the interception, freezing, and collaborative response around that specific address has already moved into the execution layer. At the same time, the official announced that it is formulating a recovery plan for affected users, advancing both "how to compensate" and "how to plug the gaps" simultaneously. Compared to the aforementioned DeFi protocols that have faced AI-powered attack surfaces due to unverified contracts, Humanity’s case reminds the market: even if the contract code has never been pointed out as having obvious defects, as long as any link in the chain of private key custody, device security, internal permissions, and operational processes is loose, attackers can bypass public audits to enter; this off-code security chain has substantively become an equally important battlefield as on-chain contracts.
Humanity’s 1 million USDT reward and H repurchase
After tracking the attacker's address and building a real-time tracking page, Humanity played an even more confrontational card: the official announced the establishment of a total reward of 1 million USDT for anyone who can provide effective clues to help recover the stolen assets. The details of the bounty and contact methods have been published through official channels, but specific emails and links still need users to verify themselves. The project team deliberately placed this reward, on-chain capital tracking, and user recovery plans within the same emergency framework, attempting to establish a closed loop among "finding the person," "finding the money," and "soothing users."
More market-oriented is Humanity's public commitment that if a portion or all of the assets are successfully recovered, the recovered funds will be used to repurchase its token H in the secondary market. This means that once there is progress in recovery, the funds will not remain in the project treasury but will directly impact the asset structure of H holders. For attackers, the high bounty and potential repurchase create a "negotiation anchor," increasing the likelihood of them choosing to return the funds out of practical considerations; for white hats and security teams, a clear reward pool enhances the expected returns for proactive collaboration; for the community and affected users, at least they see a path from tracking, bounties to repurchase, being informed that the project party is not just staying at the technical review level but is attempting to gain time and confidence with visible financial commitments.
In the AI era: contract disclosure and private key defense lines
From the wave of attacks on unverified contracts summarized by Chainalysis to Humanity encountering heavy blows due to off-chain weaknesses under circumstances where the technical causes are still to be confirmed, a clearer conclusion is emerging: in an era where AI has been systematically used by attackers for "reading code to find holes," security defense lines are no longer just a contract, but must simultaneously cover the level of on-chain code disclosure and off-chain key custody, access controls, and operational processes. For project parties, a realistic examination is laid before them: whether to continue relying on the hidden defense of "source code not being public and external parties not being able to see makes it relatively safe," or to accept the premise that AI will eventually penetrate bytecode, proactively moving towards completing source code verification on a browser, introducing third-party audits, more transparent collaboration with community security forces, while simultaneously upgrading multi-signature structures, permission levels, and internal control processes. Humanity’s choice to publicly disclose the attacker’s address, the transfer paths, build tracking pages, prepare recovery plans, establish a 1 million USDT reward, and commit to using recovered funds to repurchase H provides a sample of multi-track remediation and signals several key observables for the future: whether a broader range of unverified contract projects will actively turn to source code disclosure and auditing under AI pressure, whether the emergency schemes of bounties and token repurchase will become the norm in future security incidents, and to what extent regulators and infrastructure providers will intervene to offer projects and users more professional compliance and security support. The emergence of these changes will determine whether the on-chain ecosystem in the AI era can find a new security balance between more transparent contracts and a tighter private key defense line.
Join our community, let’s discuss, and become stronger together!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
