$1.4 million evaporated overnight: How unverified contracts become hackers' self-service ATM

Decentralized exchange TMX on the Arbitrum network was hacked through an unverified contract, resulting in a loss of approximately $1.4 million. According to CertiK’s monitoring data, the hacker used carefully crafted repeated operations to systematically drain the contract’s USDT, wrapped SOL, and WETH assets. This incident once again exposes a severely underestimated risk in the DeFi ecosystem: unverified contracts are like unlocked safes, waiting to be pried open.

How did the hacker do it

The attack method was not complicated, but highly efficient:

• Mint TMX LP tokens paired with USDT
• Exchange USDT for USDG
• Unstake TMX LP
• Sell USDG for more assets
• Repeat the above steps cyclically

This “arbitrage cycle” succeeded because of a vulnerability in the contract logic—the hacker discovered exploitable price discrepancies or flaws in the exchange mechanism. By repeatedly executing these operations, they ultimately drained the liquidity from the contract.

Why “Unverified Contract”

The key term here is “unverified.” It means:

According to the latest news, many new projects skip auditing to launch quickly. This approach seems to save costs but is actually a gamble—betting that no one will find the vulnerabilities. And hackers are precisely those who scrutinize carefully.

What does this case tell us

On the surface, it appears to be TMX’s loss. But the deeper issues are:

DeFi users’ lack of risk awareness

Many participants in liquidity mining or trading rarely verify whether a contract has been audited. In contrast, the project Mutuum Finance, which attracted over 18,600 holders, completed dual security audits by Halborn and CertiK, making it stand out.

Project teams’ risk management flaws

Launching an unverified contract is a red flag in itself. If it’s a legitimate project, an audit should be conducted immediately after the full functionality is ready, not after problems occur.

Decreasing hacker costs

Each successful attack adds more “tricks” to the hacker’s toolkit. The next unverified contract may face similar risks.

What to watch for next

• Will TMX project team release an official statement and compensation plan?
• Will the Arbitrum network strengthen risk warnings for new contracts?
• Will the stolen $1.4 million be tracked and frozen?
• How many other unverified contracts are still at risk?

Summary

The core lesson from this incident is simple: in DeFi, contract verification is not optional but mandatory. If a project launches without proper security audits, every fund involved is essentially gambling on the project’s code quality. Hackers are precisely those who act as the most diligent “code auditors.”

For users, before participating in any DeFi project, check on Etherscan whether the contract has audit reports from organizations like CertiK or OpenZeppelin. This step requires no technical background but can significantly reduce risk. For project teams, the cost of auditing is far lower than the cost of being hacked—$1.4 million is the best lesson.