{"id":29016,"date":"2026-05-19T07:48:26","date_gmt":"2026-05-19T07:48:26","guid":{"rendered":"https:\/\/bitunikey.com\/news\/echo-protocol-pauses-bridge-after-attacker-mints-76m-ebtc\/"},"modified":"2026-05-19T07:48:37","modified_gmt":"2026-05-19T07:48:37","slug":"echo-protocol-pauses-bridge-after-attacker-mints-76m-ebtc","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/echo-protocol-pauses-bridge-after-attacker-mints-76m-ebtc\/","title":{"rendered":"Echo Protocol pauses bridge after attacker mints $76M eBTC"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p>Bitcoin-focused DeFi platform Echo Protocol has suffered an exploit after an attacker minted roughly 1,000 unauthorized eBTC tokens on the protocol\u2019s Monad deployment.<\/p>\n<div id=\"cn-block-summary-block_43a9437cf7acaf4a3f8364643ebc9384\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Echo Protocol suspended cross-chain transactions after an attacker minted about $76.7 million in unauthorized eBTC on Monad.<\/li>\n<li>On-chain investigators said the exploiter used fake eBTC as collateral on Curvance to borrow real Bitcoin-backed assets before moving funds through Tornado Cash.<\/li>\n<li>Security researchers linked the incident to a compromised admin private key, while Monad and Curvance said their core networks and smart contracts were not breached.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>Blockchain security firm PeckShield and on-chain analytics platform Lookonchain <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/peckshieldalert\/status\/2056519415211192670\" target=\"_blank\" rel=\"nofollow\">reported<\/a> on Tuesday that the attacker generated around $76.7 million worth of synthetic Bitcoin tokens tied to Echo\u2019s eBTC asset.\u00a0<\/p>\n<p>Early findings shared by multiple researchers indicated that the exploit was not caused by a flaw in Monad itself, but by compromised administrative access linked to Echo\u2019s infrastructure.<\/p>\n<p>Soon after the unauthorized minting, the attacker moved part of the funds into decentralized lending markets. Data shared by Onchain Lens showed that 45 eBTC was deposited into lending protocol Curvance as collateral, allowing the exploiter to borrow around 11.29 wrapped Bitcoin worth nearly $868,000 at the time.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Exploit Alert \ud83d\udea8<\/p>\n<p>According to <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/dcfgod?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@dcfgod<\/a>, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/EchoProtocol_?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@EchoProtocol_<\/a> on <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/monad?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@monad<\/a> has been exploited.<\/p>\n<p>The attacker reportedly minted 1,000 <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24eBTC&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$eBTC<\/a> worth $76.7M and used a previously tested exploit flow to extract funds through Curvance.<\/p>\n<p>So far, the exploiter has:<\/p>\n<p>\u2022 Deposited 45 <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24eBTC&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$eBTC<\/a> ($3.45M)\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/933n9bbq3X\">pic.twitter.com\/933n9bbq3X<\/a><\/p>\n<p>\u2014 Onchain Lens (@OnchainLens) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/OnchainLens\/status\/2056522722461761612?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 18, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>After securing the borrowed assets, the attacker bridged the WBTC to Ethereum, swapped the tokens into ETH, and later routed 385 ETH through Tornado Cash, according to on-chain investigators. PeckShield separately estimated that 384 ETH, worth around $822,000, had already been transferred to the crypto mixing service.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/PeckShieldAlert?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#PeckShieldAlert<\/a> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/dcfgod?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@dcfgod<\/a> reports that <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/EchoProtocol_?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@EchoProtocol_<\/a> was hacked on <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/monad?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@monad<\/a> <\/p>\n<p>The hacker minted 1k <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24eBTC&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$eBTC<\/a> ($76.7M) &amp;, utilizing the tested flow, deposited 45 <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24eBTC&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$eBTC<\/a> ($3.45M) into Curvance. They then borrowed ~11.29 <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24WBTC&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$WBTC<\/a> ($867.7K) against it, bridged the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24WBTC&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$WBTC<\/a> to <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/Ethereum?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#Ethereum<\/a>, swapped\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/DjgI0v85Rw\">https:\/\/t.co\/DjgI0v85Rw<\/a> <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/wNnA77UDuI\">pic.twitter.com\/wNnA77UDuI<\/a><\/p>\n<p>\u2014 PeckShieldAlert (@PeckShieldAlert) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/PeckShieldAlert\/status\/2056519415211192670?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 18, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>Most of the unauthorized supply remains untouched. Lookonchain and DeBank data showed the attacker still controls about 955 eBTC valued at more than $73 million.\u00a0<\/p>\n<p>According to DefiPrime founder Nick Sawinyh <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/defiprime.com\/echo-ebtc-monad-exploit\" target=\"_blank\" rel=\"nofollow\">stated<\/a> the remaining tokens appear stranded because Monad\u2019s current lending and decentralized exchange liquidity cannot absorb an exit of that size.<\/p>\n<p>\u201cFor anyone using newly-launched lending markets on newly-launched chains, the practical takeaway is narrow: before you supply real assets, look at what the borrowable collateral actually is, who can mint it, and whether anything stops them from minting more. If your lender can\u2019t tell you which keys can produce that collateral, neither can you,\u201d Sawinyh added.<\/p>\n<h2 class=\"wp-block-heading\">Admin key compromise suspected<\/h2>\n<p>While Echo Protocol initially confirmed only that it was investigating a \u201csecurity incident impacting the Echo bridge on Monad,\u201d blockchain developer Marioo later said the issue stemmed from an admin private key compromise rather than a smart contract failure.<\/p>\n<p>According to Marioo, the eBTC contract itself <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/MarioY00\/status\/2056514989108732272\" target=\"_blank\" rel=\"nofollow\">operated<\/a> as intended, though several operational weaknesses allowed the attack to escalate. The researcher pointed to the use of a single-signature admin role, the absence of a timelock mechanism, no minting cap or issuance rate limit, and a lack of collateral verification checks on Curvance for newly minted eBTC.<\/p>\n<p>Curvance acknowledged the incident shortly afterward and said the affected Echo eBTC market had been paused as a precaution. The protocol added that its isolated market structure prevented the issue from spreading to other lending pools and stated there was no indication that Curvance\u2019s own smart contracts had been compromised.<\/p>\n<p>On the network side, Monad co-founder Keone Hon said the blockchain itself continued operating normally and had not been breached.\u00a0<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">To clarify, the Monad network is not affected and is operating normally<\/p>\n<p>Security researchers in their review have determined that ~$816,000 appears to have been stolen as a result of this exploit of <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/EchoProtocol_?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@EchoProtocol_<\/a> &#8216;s eBTC<\/p>\n<p>\u2014 Keone Hon (@keoneHD) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/keoneHD\/status\/2056514249543786937?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 18, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>In a later update, Hon <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/keoneHD\/status\/2056514249543786937?s=20\" target=\"_blank\" rel=\"nofollow\">stated<\/a> that security researchers estimated around $816,000 in actual value had been extracted through the exploit despite the much larger unauthorized mint.<\/p>\n<p>Echo Protocol, which operates as a Bitcoin liquidity and yield platform across multiple chains, including Aptos and Monad, said cross-chain transactions had been suspended while the investigation continues. The team added that future updates would be shared through its official channels.<\/p>\n<h2 class=\"wp-block-heading\">Several DeFi exploits have transpired in 2026<\/h2>\n<p>The exploit has added to a growing list of DeFi security incidents this month alone, including the recent $11.6 million exploit involving Verus Protocol\u2019s Ethereum bridge.<\/p>\n<p>Earlier this year, Drift Protocol lost roughly $285 million in an exploit, while Kelp DAO suffered a separate attack that resulted in losses of about $292 million.\u00a0<\/p>\n<p>More recently, THORChain halted trading activity after blockchain investigator ZachXBT flagged a suspected $10 million exploit, while Transit Finance disclosed a deprecated smart contract attack that led to losses of nearly $1.88 million.<\/p>\n<\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bitcoin-focused DeFi platform Echo Protocol has suffered an exploit after an attacker minted roughly 1,000 unauthorized eBTC tokens on the protocol\u2019s Monad deployment. Summary Echo Protocol suspended cross-chain transactions after&hellip;<\/p>\n","protected":false},"author":1,"featured_media":19086,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-29016","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=29016"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29016\/revisions"}],"predecessor-version":[{"id":29017,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29016\/revisions\/29017"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/19086"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=29016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=29016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=29016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}