In short
- Attackers minted 1,000 eBTC on Echo Protocol’s Monad blockchain deployment earlier than borrowing and shifting funds throughout chains.
- Echo Protocol stated a compromised admin key enabled the unauthorized minting exercise and estimated losses at roughly $816,000.
- The exploit marks the newest in a string of DeFi assaults which have raised issues round cross-chain and protocol safety.
Bitcoin liquidity aggregation and yield infrastructure layer, Echo Protocol, was hit by an exploit on its deployment on the Monad blockchain after an attacker minted 1,000 unauthorized eBTC value roughly $77 million, with round $816,000 finally laundered by means of coin mixer Twister Money.
Blockchain safety agency PeckShield flagged the incident, citing onchain sleuth dcfgod, noting the attacker “minted 1k $eBTC ($76.7M) &, using the examined movement, deposited 45 $eBTC ($3.45M) into Curvance.”
The hacker then borrowed roughly 11.29 WBTC ($867,700) towards the collateral, bridged the WBTC to Ethereum, swapped them for ETH, and despatched 384 ETH (~$821,700) to Twister Money.
Echo Protocol confirmed the breach in a Tuesday tweet, saying its investigation “signifies the problem originated from a compromised admin key affecting the Monad deployment.”
Earlier immediately, Echo Protocol recognized unauthorized exercise involving eBTC on Monad that resulted in unauthorized minting and related fund loss.
Our investigation signifies the problem originated from a compromised admin key affecting the Monad deployment. Primarily based on present…
— Echo Protocol (@EchoProtocol_) Might 19, 2026
“Primarily based on present findings, roughly $816K was impacted on Monad. The Monad community itself was not impacted and continues to function usually,” the crew stated, including it has “efficiently regained management of our admin keys and burnt the remaining 955 eBTC that was within the attacker’s possession.”
Decrypt has reached out to Echo Protocol for remark.
The exploit follows a well-known admin-key sample that has plagued cross-chain protocols, the place a single compromised credential can unlock minting privileges throughout a whole deployment.
Echo stated the incident “seems remoted to Monad,” with “no proof of compromise on Aptos.”
The crew famous that aBTC on Aptos and eBTC on Monad are separate, non-bridgeable belongings, with present Aptos publicity restricted to roughly $71,000 throughout Echo lending markets and Hyperion liquidity swimming pools, and no confirmed lack of funds on that chain.
eBTC is Echo’s wrapped Bitcoin illustration on Monad, whereas aBTC is its counterpart on Aptos, each designed to carry BTC liquidity into DeFi purposes on these chains.
Misha Putiatin, co-founder of Symbiotic and sensible contract safety agency Statemind, instructed Decrypt that the business ought to count on extra incidents of this sort as protocols lean more durable on off-chain parts.
“As DeFi protocols turn into more and more depending on off-chain infrastructure, we’re more likely to see a resurgence of ‘Web2.5’ fashion assaults focusing on centralized key administration, databases, and operational infrastructure,” Putiatin stated.
Calling it a “balancing act,” he stated techniques with “extra concerned administration” turn into more and more weak to social engineering and infrastructure assaults in contrast with “totally permissionless techniques.”
Putiatin stated centralized and off-chain parts of DeFi protocols have traditionally been “handled as secondary threat areas,” however expects that to shift.
“We’ll probably see way more deal with operational infrastructure, key administration, and inner safety frameworks, much like how sensible contract audits grew to become commonplace after the 2021 exploit cycle,” he stated.
Precautionary measures
Echo has paused cross-chain performance for the Monad deployment and accomplished an improve of the related Monad contracts “to limit affected operations and strengthen management over delicate capabilities.”
The Aptos bridge has been totally paused as a precaution regardless of no noticed impression, and Echo Aptos Lending has been suspended for safety.
The crew stated it’s also upgrading its EVM-series bridge deployments “to additional strengthen cross-chain controls and cut back operational threat.”
Assaults on DeFi
The Echo Protocol breach provides to mounting strain on DeFi safety after current exploits at THORChain and TrustedVolumes, in addition to final month’s $293 million infrastructure-linked assault on KelpDAO, attributed to North Korea’s Lazarus Group.
Echo stated it’s performing a complete evaluate of the affected Monad deployment and associated bridge infrastructure, together with admin key publicity, contract permissions, cross-chain controls, and minting controls, alongside ecosystem companions and exterior safety reviewers.
Each day Debrief Publication
Begin day-after-day with the highest information tales proper now, plus authentic options, a podcast, movies and extra.