Echo Protocol is investigating a security incident involving its bridge on Monad after an attacker minted 1,000 eBTC and used part of that position to extract liquidity through Curvance. The first public alarm came from dcfgod’s onchain post, which flagged that eBTC appeared to be minted out of nowhere on Monad before being used in a borrowing route.
The flow was later mapped through PeckShield-monitored activity: the attacker minted 1,000 eBTC, valued at roughly $76.7 million, deposited 45 eBTC worth about $3.45 million into Curvance, borrowed around 11.29 WBTC, bridged the WBTC to Ethereum, swapped it for ETH and sent 384 ETH, worth about $821,700, to Tornado Cash.
The $76.7 million figure should be read carefully. It reflects the notional value of the eBTC minted, not the amount that has been confirmed as fully extracted from the ecosystem. The visible cashout path centers on the borrowed WBTC and ETH routed through Ethereum, while follow-up updates have placed the actual stolen value closer to the low seven figures. That still makes the incident serious because a fake or unauthorized mint can stress collateral markets even when only part of the minted supply is successfully converted into liquid assets.
Curvance Pauses Affected Market As Teams Investigate
Echo Protocol has suspended all cross-chain transactions while the investigation continues, giving the team time to review the bridge path, eBTC minting permissions and any affected balances. The pause is the most important immediate user-protection step because bridge incidents can spread quickly when synthetic or wrapped assets remain active across multiple markets.
Curvance also moved to contain the damage. The protocol said it was alerted to an irregularity in the Echo eBTC market and paused the affected market while working with ecosystem partners. Curvance said there was no evidence its smart contracts had been compromised, and its isolated-market design meant no other markets were affected.
That containment point matters for lenders and borrowers. In isolated lending markets, risk is supposed to stay inside the specific market where collateral is listed. If the issue is limited to Echo eBTC collateral, other Curvance markets should not automatically inherit the same exposure. Users still need clarity on liquidations, bad debt, oracle treatment and whether any positions tied to eBTC require manual settlement or protocol intervention.
Monad Network Appears Unaffected
The incident is being treated as an Echo eBTC or bridge-layer problem, not a compromise of Monad itself. Monad co-founder Keone Hon said the network was operating normally, while preliminary security review put the stolen value around $816,000 from the EchoProtocol eBTC exploit. That aligns with the visible Tornado Cash route rather than the full $76.7 million notional mint.
Security commentary has also pointed toward a possible admin-key or permission issue, with SlowMist founder Yu Xian reportedly raising the possibility of a compromised single-point admin private key. That has not been confirmed by Echo Protocol, so the root cause remains open until the team publishes a postmortem or a security partner releases a technical breakdown.
The attack path is still familiar. A bridge-linked asset is minted, deposited as collateral, borrowed against in a lending market, bridged to Ethereum, swapped into ETH and routed through Tornado Cash. The sequence shows why cross-chain bridge exploits keep producing outsized market risk: once a wrapped asset can be created or treated as valid collateral, liquidity can leave through lending markets before teams fully understand the failure.
Echo’s next update needs to answer the operational questions users actually face: whether the 1,000 eBTC mint has been neutralized, whether Curvance has any bad debt from the borrowed WBTC, which keys or contracts were involved, whether the bridge remains paused, and how affected positions will be handled. The money trail now runs through Ethereum and Tornado Cash, but the bigger test is on Monad: proving the eBTC supply, bridge permissions and lending-market exposure are clean before normal cross-chain activity resumes.
Be the first to comment