Ethereum Layer 2 protocol Taiko confirmed a critical safety breach on Monday after an attacker exploited a flaw in its bridge verification system, draining an estimated $1.5 million to $1.7 million from its ERC20 Vault. The incident has halted block manufacturing on the community and prompted pressing warnings for customers to safe their funds.
What Occurred
Taiko confirmed a compromise of its chain state verification mechanism, warning that the safety assumptions of all bridges deployed on the protocol can not be relied upon. The group stated it was coordinating with its Safety Council and ecosystem companions to include the injury and urged all customers to withdraw funds from Taiko bridges instantly.
The breach was first flagged by blockchain safety agency Blockaid, whose exploit detection system recognized an ongoing assault on Taiko’s ERC20 Vault on Ethereum, estimating preliminary losses at greater than $1 million.
The foundation trigger, in keeping with Blockaid, was a vital flaw in how Taiko’s bridge validated cross-chain messages. Crafted message proofs have been accepted as legitimate on Ethereum L1 with out corresponding respectable MessageSent occasions on the Taiko supply chain. This allowed the attacker to register and later retrieve fraudulent bridge messages, leading to unauthorized asset releases from the ERC20 vault. In easy phrases, the attacker tricked the bridge into believing respectable cross-chain transactions had occurred on Taiko after they had not, permitting them to withdraw actual belongings on the Ethereum facet with none legitimate backing.
Taiko’s Official Assertion (Supply: Taiko)
How A lot Was Stolen
Loss estimates have different throughout safety companies. Blockchain safety agency PeckShield estimated complete losses at roughly $1.7 million, larger than Blockaid’s preliminary determine of over $1 million.
On-chain knowledge tracked by Lookonchain added additional element: the attacker moved 1.99 million TAIKO tokens price roughly $189,000 to the MEXC change, whereas roughly 870.8 ETH valued at near $1.52 million remained sitting in exploiter wallets on the time of reporting. 4 attacker pockets addresses have been printed by the Taiko group:
- 0x7506DeA0c38ca0B55364B22424374c5A1ae1B76a
- 0x5fbc60a12bc6635e7d587d8dac52e4b1388b4990
- 0x3cc936b795a188f0e246cbb2d74c5bd190aecf18
- 0x9108828e30f2de407aadb0af677b4a9228e4acd4
Taiko’s ERC20 Vault Hacked (Supply: Arkham)
Taiko’s Response
The response from the Taiko group got here in a number of levels. First got here the emergency safety discover and the decision for customers to withdraw bridge funds. Then, in a follow-up submit, Taiko confirmed that every one block proposers had briefly stopped producing new blocks whereas the group investigates and works to resolve the difficulty, successfully bringing the community to a standstill as a containment measure.
Taiko additionally known as on centralized exchanges to droop TAIKO deposits instantly, stating that deposits ought to solely resume following an official all-clear discover from the challenge. The group stated it will pursue technical and authorized treatments the place vital however has not offered a timeline for restoring bridge performance or resuming block manufacturing.
In a later replace, Taiko stated the incident had been contained and that the Bridge and ERC20Vault had been paused. The group clarified that pending transactions will not be misplaced, merely paused, and that customers not have to take any motion to guard their funds whereas the bridge stays offline.
What Is Taiko
Taiko is a based mostly rollup — a kind of rollup that depends on Ethereum block validators to sequence transactions. It launched on mainnet in Might 2024 after being in growth since 2022. As a Sort 1 ZK-EVM, it’s designed to be totally equal to Ethereum, that means it helps the identical good contracts and developer instruments with out modification. The native TAIKO token is presently buying and selling at round $0.084, down roughly 98% from its 2024 peak.
A part of a Broader Sample
The Taiko hack is one in all at the very least 23 crypto exploits recorded in June 2026, in keeping with DeFiLlama. The month has been notably extreme for decentralized finance safety, with Humanity Protocol struggling the biggest single incident at over $30 million, adopted by Syscoin Bridge at greater than $8 million, Secret Community at $4.67 million via an infinite mint bug, and a $1.1 million drain from a PancakeSwap liquidity pool.
Bridge vulnerabilities have been among the many most focused assault surfaces in DeFi in 2026, with notable breaches hitting Gravity Bridge ($5.4 million), Axelar-Secret Community ($4.67 million), Alephium TokenBridge ($815,000), and Hyperbridge ($2.5 million), amongst others.
Cross-chain bridges stay structurally tough to safe as a result of they require one chain to belief statements made about exercise on one other. When the verification logic that enforces that belief might be manipulated, as was the case right here, attackers can manufacture withdrawals with none corresponding deposits.
What Comes Subsequent
The Taiko group has not given a selected timeline for when bridge companies will resume. The 4 printed attacker addresses give investigators and exchanges a path to comply with, and the velocity at which exchanges freeze the flagged wallets could decide whether or not any of the stolen funds might be recovered. Taiko has stated additional updates will probably be issued because the scenario develops.
