Crypto News

Echo Protocol: $76 Million Stolen in eBTC Minting Attack on Monad Blockchain

By Telemac

Share

Echo Protocol: $76 Million Stolen in eBTC Minting Attack on Monad Blockchain

Echo Protocol, a decentralized finance platform specializing in Bitcoin liquidity and yield, fell victim to a major exploit on May 19, 2026. An attacker successfully minted approximately 1,000 unauthorized eBTC tokens, representing a value of around $76 million, on the Monad blockchain. This attack occurs against a backdrop of surging security incidents in the decentralized finance sector, with several significant exploits recorded throughout May 2026.

Context

Echo Protocol is a Bitcoin liquidity protocol that issues synthetic representations of BTC, notably eBTC on Monad and aBTC on Aptos. These tokens enable users to access yield products using their Bitcoin as collateral across various blockchains. The protocol experienced significant growth on the Monad ecosystem, a Layer 1 blockchain recognized for its high performance and native support for DeFi applications.

The platform functions as a Bitcoin liquidity infrastructure layer, allowing BTC holders to participate in lending, borrowing, and yield activities without selling their holdings. This approach attracted substantial capital to the protocol, making it a target for increasingly sophisticated attacks. eBTC serves as the central mechanism for generating liquidity on decentralized money markets.

Echo Protocol’s technical architecture relies on smart contracts that manage the issuance and destruction of synthetic tokens. The governance system uses an admin role controlled by a single private key, a configuration that proved vulnerable during this attack. This method of controlling admin rights is common across many DeFi protocols but presents significant risks when the amounts involved are substantial.

The May 19 attack is not an isolated incident. It is part of a series of DeFi exploits that have affected the sector in recent weeks. THORChain lost $10.7 million on May 15, the Verus-Ethereum bridge was drained of $11.5 million on May 18, and now Echo Protocol has lost $76 million. This accumulation of security incidents raises serious questions about the state of security in the decentralized finance sector.

The total amount diverted during May 2026 alone now exceeds $400 million, making it one of the most dangerous months for the DeFi sector. Blockchain security experts note that attackers are developing increasingly sophisticated methods to identify and exploit protocol weaknesses. This trend reflects a professionalization of criminal activities in the crypto space.

Facts

According to information disclosed by Echo Protocol and confirmed by several blockchain security firms including PeckShield and WatchGull, the attack was made possible by the compromise of an administrative private key. This key controlled the admin role of the eBTC contract on Monad, with no multisignature protection or timelock in place. The attacker was able to execute the minting contract without any restriction, creating nearly 1,000 eBTC from nothing.

The total value of the unbacked tokens issued amounts to approximately $76.64 million at the spot Bitcoin price of around $77,000. At this price level, each eBTC token represents approximately one unit of Bitcoin, explaining the scale of the diversion. The attacker exploited the fact that the contract accepted minting without prior verification of the underlying reserve.

On-chain research conducted by Lookonchain and DeBank shows that the attacker subsequently deposited part of these funds on Curvance, a lending protocol operating on Monad, to borrow real Wrapped Bitcoin. The amount borrowed through this method amounts to $3.45 million in WBTC. This operation enabled the conversion of a portion of the fraudulent eBTC tokens into real assets.

The stolen funds were then laundered through Tornado Cash mixer, a cryptocurrency mixing service widely used to conceal the origin of illicit funds. According to DeBank data, the attacker still controls approximately 955 eBTC, representing nearly 95% of the total stolen, for a value of approximately $73 million. This significant position is explained by the fact that Monad’s liquidity depth cannot absorb larger sales without causing substantial price slippage.

Security analyses determined that the attack exploited several structural weaknesses. The absence of a mint cap allowed the attacker to create a massive volume of tokens. The absence of a timelock on admin operations enabled immediate execution. And the absence of multisignature made the single key vulnerable to a single compromise. These three combined factors created the perfect conditions for a large-scale exploit.

Echo Protocol stated it regained control of the admin keys and burned the 955 eBTC still held by the attacker through a contract upgrade. This action significantly reduced direct losses and neutralized the majority of risk for protocol users. However, part of the funds borrowed through Curvance remains irrecoverable, as they have already been withdrawn from the protocol by the attacker.

The protocol also suspended all cross-chain operations and paused the Aptos bridge as a precautionary measure. This conservative decision aims to prevent the attack from spreading to other blockchains or other protocol products. The Aptos bridge suspension specifically concerns transfers between Aptos and other networks, as the team suspected the vulnerability might affect other deployments.

Analysis

This exploit highlights structural weaknesses in DeFi protocol design. The use of a single signature to control critical administrative functions constitutes a major risk that has been documented in numerous previous incidents. Blockchain security experts emphasize that contracts handling large-value assets should implement more robust governance mechanisms, including timelocks, quorum requirements for sensitive operations, and transaction limits.

The operating method of this attack resembles patterns observed during recent exploits of KelpDAO and Drift Protocol, which lost $293 million and $270 million respectively. In each case, a weakness in privileged role control mechanisms allowed attackers to manipulate contracts unauthorized. The North Korean group Lazarus was implicated in the KelpDAO attack, suggesting state actors are now funding sophisticated DeFi exploit operations.

Security firms like Trail of Bits and OpenZeppelin have stated that smart contract audits are no longer sufficient to guarantee protocol security. The growing complexity of DeFi systems, with their inter-protocol interactions and distributed governance mechanisms, creates attack surfaces that are difficult to fully cover during traditional audits. More aggressive bug bounty programs and ethical hacking competitions are increasingly seen as necessary complements.

Echo Protocol’s response demonstrates rapid detection and reaction capability. The recovery of admin keys and burning of remaining tokens shows the protocol had effective emergency procedures in place. However, the lack of appropriate preventive measures remains a critical issue. Security audits and certifications appear insufficient to guarantee protocol resistance against sophisticated attacks from highly motivated actors.

The Monad ecosystem appears to be a priority target for attackers due to its relative novelty and recent capital influx. Protocols deployed on this blockchain must strengthen their security measures against this growing threat. The rapid growth of value locked on Monad necessarily attracts malicious actors seeking vulnerabilities. This dynamic is typical of new blockchain ecosystems that attract capital before security infrastructures reach full maturity.

Market Reactions

Cryptocurrency markets reacted moderately to this news, with attention more focused on macroeconomic developments and regulatory prospects. Bitcoin price did not experience significant variation due to this exploit, as traders seem accustomed to this type of incident in the DeFi sector. This acclimatization to hacks represents a concerning phenomenon for market maturity and the ability of actors to distinguish fundamental events from temporary technical disruptions.

On-chain data shows that deposits on DeFi protocols on the Monad blockchain decreased slightly in the hours following the announcement. This reaction reflects the fragile trust of users in protocols deployed on this blockchain. Curvance teams immediately paused the affected eBTC market to limit exposure to compromised funds. This cooperation between protocols to contain damage is a positive sign for the ecosystem.

Borrowing rates for stablecoins on decentralized lending protocols remained stable, indicating the incident did not trigger a generalized liquidity crisis. This relative resilience contrasts with similar incidents on other blockchains that sometimes caused chain reactions and massive margin calls. The fact that Curvance was able to absorb part of the impact without systemic propagation suggests decentralized security mechanisms still function to some extent.

Overall DeFi metrics for the Monad ecosystem remain solid despite this incident. Total value locked (TVL) on the blockchain decreased by only a few percent, suggesting users are not panicking and maintain confidence in unaffected protocols. This relative stability may however be tested if other security incidents occur in the coming weeks.

Perspectives

Prospects for the DeFi sector depend largely on the ability of protocols to strengthen their security measures. This series of exploits could accelerate the adoption of stricter security standards, including regular audits, more generous bug bounty programs, and more democratic governance mechanisms. Users are also beginning to demand greater transparency regarding protocol security practices before depositing funds.

On the regulatory side, these incidents could trigger increased attention from authorities on DeFi protocols. The ease with which funds can be laundered through mixers like Tornado Cash represents a major challenge for AML/CFT compliance. Regulators could tighten surveillance requirements for protocols handling significant volumes of user funds. The European Union and United States are already considering stricter regulatory frameworks for the sector.

For investors, this incident reminds of the importance of risk diversification in the DeFi sector. Concentrating capital on protocols with insufficient security mechanisms exposes users to catastrophic losses. Risk management strategies must incorporate rigorous assessment of protocol governance practices before any fund commitment. On-chain analytics tools like DeBank and Nansen now enable evaluation of smart contract risks before engagement.

The sector’s future will also depend on the ability of blockchain ecosystems to attract security talent to evaluate and improve protocols. Blockchain security research programs are multiplying in universities and cybersecurity companies. This professionalization of the sector could eventually help reduce the number and scale of exploits in coming years.

Sources

Telemac
Telemachttp://cryptoinfo.ch

Contenu [hide]

Lire la Suite

Articles