Briefly
- Attackers minted 1,000 eBTC on Echo Protocol’s Monad blockchain deployment earlier than borrowing and shifting funds throughout chains.
- Echo Protocol stated a compromised admin key enabled the unauthorized minting exercise and estimated losses at roughly $816,000.
- The exploit marks the newest in a string of DeFi assaults which have raised considerations round cross-chain and protocol safety.
Bitcoin liquidity aggregation and yield infrastructure layer, Echo Protocol, was hit by an exploit on its deployment on the Monad blockchain after an attacker minted 1,000 unauthorized eBTC price roughly $77 million, with round $816,000 in the end laundered via coin mixer Twister Money.
Blockchain safety agency PeckShield flagged the incident, citing onchain sleuth dcfgod, noting the attacker “minted 1k $eBTC ($76.7M) &, using the examined circulate, deposited 45 $eBTC ($3.45M) into Curvance.”
The hacker then borrowed roughly 11.29 WBTC ($867,700) towards the collateral, bridged the WBTC to Ethereum, swapped them for ETH, and despatched 384 ETH (~$821,700) to Twister Money.
Echo Protocol confirmed the breach in a Tuesday tweet, saying its investigation “signifies the difficulty originated from a compromised admin key affecting the Monad deployment.”
Earlier at the moment, Echo Protocol recognized unauthorized exercise involving eBTC on Monad that resulted in unauthorized minting and related fund loss.
Our investigation signifies the difficulty originated from a compromised admin key affecting the Monad deployment. Primarily based on present…
— Echo Protocol (@EchoProtocol_) Might 19, 2026
“Primarily based on present findings, roughly $816K was impacted on Monad. The Monad community itself was not impacted and continues to function usually,” the crew stated, including it has “efficiently regained management of our admin keys and burnt the remaining 955 eBTC that was within the attacker’s possession.”
Decrypt has reached out to Echo Protocol for remark.
The exploit follows a well-known admin-key sample that has plagued cross-chain protocols, the place a single compromised credential can unlock minting privileges throughout a whole deployment.
Echo stated the incident “seems remoted to Monad,” with “no proof of compromise on Aptos.”
The crew famous that aBTC on Aptos and eBTC on Monad are separate, non-bridgeable belongings, with present Aptos publicity restricted to roughly $71,000 throughout Echo lending markets and Hyperion liquidity swimming pools, and no confirmed lack of funds on that chain.
eBTC is Echo’s wrapped Bitcoin illustration on Monad, whereas aBTC is its counterpart on Aptos, each designed to convey BTC liquidity into DeFi functions on these chains.
Misha Putiatin, co-founder of Symbiotic and sensible contract safety agency Statemind, informed Decrypt that the business ought to anticipate extra incidents of this type as protocols lean tougher on off-chain parts.
“As DeFi protocols change into more and more depending on off-chain infrastructure, we’re more likely to see a resurgence of ‘Web2.5’ model assaults concentrating on centralized key administration, databases, and operational infrastructure,” Putiatin stated.
Calling it a “balancing act,” he stated methods with “extra concerned administration” change into more and more susceptible to social engineering and infrastructure assaults in contrast with “absolutely permissionless methods.”
Putiatin stated centralized and off-chain parts of DeFi protocols have traditionally been “handled as secondary danger areas,” however expects that to shift.
“We’ll probably see way more give attention to operational infrastructure, key administration, and inside safety frameworks, just like how sensible contract audits grew to become normal after the 2021 exploit cycle,” he stated.
Precautionary measures
Echo has paused cross-chain performance for the Monad deployment and accomplished an improve of the related Monad contracts “to limit affected operations and strengthen management over delicate features.”
The Aptos bridge has been absolutely paused as a precaution regardless of no noticed influence, and Echo Aptos Lending has been suspended for safety.
The crew stated it is usually upgrading its EVM-series bridge deployments “to additional strengthen cross-chain controls and cut back operational danger.”
Assaults on DeFi
The Echo Protocol breach provides to mounting stress on DeFi safety after current exploits at THORChain and TrustedVolumes, in addition to final month’s $293 million infrastructure-linked assault on KelpDAO, attributed to North Korea’s Lazarus Group.
Echo stated it’s performing a complete evaluation of the affected Monad deployment and associated bridge infrastructure, together with admin key publicity, contract permissions, cross-chain controls, and minting controls, alongside ecosystem companions and exterior safety reviewers.
Day by day Debrief Publication
Begin each day with the highest information tales proper now, plus authentic options, a podcast, movies and extra.