Decentralized finance protocol Echo Protocol was exploited after an attacker minted about 1,000 unauthorized eBTC on the protocol, which is deployed on the Monad blockchain.
Blockchain safety agency PeckShield and analytics platform Lookonchain each reported the incident on Tuesday, noting {that a} hacker minted 1,000 artificial Bitcoin (eBTC) value round $76.7 million.
“We’re at the moment investigating a safety incident impacting the Echo bridge on Monad. All cross-chain transactions stay suspended whereas the investigation is underway,” Echo Protocol mentioned on Tuesday.
This newest exploit is available in a month that has seen a minimum of 12 protocols compromised, together with THORChain, Verus Protocol’s Ethereum bridge, Transit Finance, TrustedVolumes and Ekubo.
In line with PeckShield, the attacker tried to launder a number of the loot by depositing 45 eBTC value round $3.45 million into DeFi lending and liquidity administration protocol Curvance.
The attacker then borrowed 11.3 wrapped Bitcoin (wBTC) value $868,000 towards it, bridged the tokens to Ethereum, swapped them for ETH, and despatched 384 ETH value about $822,000 to the Twister Money mixing service.
The attacker nonetheless holds 955 eBTC value about $73 million, in accordance to DeBank.
Echo Protocol is a Bitcoin DeFi platform centered on Bitcoin liquidity aggregation, liquid staking, restaking, and yield technology. It creates unified, liquid BTC belongings reminiscent of eBTC for customers to bridge and deploy in DeFi for extra yield. The protocol is deployed on Monad, a high-performance, layer-1, EVM-compatible blockchain.
The hacker nonetheless holds 95% of the stolen crypto. Supply: DeBank
Admin non-public key compromised
Blockchain developer “Marioo” reported that it was not a sensible contract bug, however an admin non-public key compromise, and the basis trigger was “operational, not technical.”
The eBTC contract “labored precisely as designed,” they mentioned, including that the vulnerabilities included a single signature for the admin function, no timelock, no minting provide cap or fee restrict, and no “provide sanity test” by Curvance for the freshly minted collateral.
Associated: Hackers used AI to craft zero-day assault to bypass 2FA: Google
Curvance reported that it was conscious of the “anomaly” detected within the Echo eBTC market on Curvance and confirmed that there was no compromise with its personal sensible contracts. It paused the affected marketplace for investigation.
Monad co-founder Keone Hon clarified on X that “the Monad community will not be affected and is working usually.”
In the meantime, Echo Protocol mentioned it should present updates via its official channels as extra info turns into obtainable.
DeFi hacks surge in 2026
The yr has been difficult for DeFi safety, with dozens of protocols exploited for lots of of hundreds of thousands in crypto and greater than 20 protocols shuttering companies.
Two of the most important hacks this yr included the exploit of the Drift Protocol, which misplaced $285 million, and Kelp DAO, which was exploited for $292 million in April.
On Monday, Verus Protocol’s Ethereum bridge was exploited via a faux cross-chain switch message that allowed a hacker to steal a minimum of $11.6 million in crypto.
Decentralized liquidity protocol THORChain halted buying and selling on Friday after blockchain investigator ZachXBT flagged a suspected $10 million exploit.
In the meantime, Transit Finance suffered a deprecated sensible contract exploit, ensuing within the lack of $1.88 million final week.
Journal: DeFi’s billion-dollar secret: The insiders accountable for hacks
