Key Takeaways
- On Monday, May 18, an admin key exploit hit Echo Protocol, leading to an $816,000 asset breach.
- Low liquidity on Monad shielded the market, limiting actual losses from a fake $76.7 million eBTC mint.
- Echo Protocol is now upgrading its bridge security and contract permission controls to stop future lapses.
Liquidity Limits Prevent Massive Losses
Echo Protocol, a decentralized finance ( DeFi) platform focused on bitcoin liquidity, was hit by a security exploit on Monday, May 18, after an attacker compromised an administrative key to mint millions of dollars in unauthorized synthetic assets.
The breach, which occurred on Echo Protocol’s deployment within the Monad blockchain network, initially saw the hacker mint 1,000 eBTC tokens with an estimated value of $76.7 million. However, because the localized decentralized lending markets lacked the deep liquidity required to absorb or cash out the massive influx of fake tokens, the actual realized losses were limited to approximately $816,000.
According to reports from blockchain security firms Peckshield and Lookonchain, the attacker utilized the compromised administrative access to grant their own digital wallet minting privileges. After generating the 1,000 eBTC tokens, the hacker deposited 45 eBTC into the decentralized lending protocol Curvance to serve as collateral.
Against that collateral, the attacker successfully borrowed 11.29 WBTC and then bridged those assets to the Ethereum network, swapped them for ether ( ETH), and funneled approximately 385 ETH into Tornado Cash.
Echo Protocol confirmed the security incident via its official social media channels, stating that the bridge infrastructure on Monad had been temporarily suspended to prevent further unauthorized activity.
“Our investigation indicates the issue originated from a compromised admin key affecting the Monad deployment,” Echo Protocol said in a statement.
Developers noted that the exploit stemmed from an operational and access-control failure regarding key management, rather than a flaw in the underlying smart contract code itself. The protocol team has since regained control of the administrative key and moved to contain the damage by burning the remaining 955 eBTC tokens that were left sitting unusable in the attacker’s wallet.
Keone Hon, co-founder of the Monad blockchain, clarified that the network’s core infrastructure remained entirely secure.
“Monad was not affected and continues to operate normally,” Hon stated, adding that the issue was isolated strictly to the application and its bridge deployment.
Curvance, the lending protocol where the hacker extracted the funds, also paused the affected eBTC market as a precautionary measure. Representatives for Curvance emphasized that its isolated market architecture successfully prevented the exploit from bleeding into other lending pools, reporting no signs that its own smart contracts were breached.
The platform noted that its deployment on the Aptos network remains unaffected, as aBTC on Aptos and eBTC on Monad operate as entirely separate and non-interoperable assets.
Echo Protocol stated that it is upgrading its Ethereum Virtual Machine bridge contracts and tightening its permission control mechanisms to prevent future lapses. The incident marks the latest in a string of administrative and infrastructure-related exploits to impact the decentralized finance sector this month.
Be the first to comment