Echo Protocol Hit by $76.7M eBTC Mint on Monad Bridge

A compromised administrator key let an attacker mint 1,000 unauthorized synthetic Bitcoin tokens on the Echo Protocol bridge deployed on Monad on May 18, 2026, exposing a critical design gap in DeFi cross-chain infrastructure and prompting an immediate suspension of all bridge activity.

The notional value of the mint reached roughly $76.7 million. However, confirmed losses stand at approximately $816,000, according to Echo Protocol’s official statement published May 19. The gap between the two figures is central to understanding what actually happened.

How the Attack Moved From Mint to Mixer

The attacker minted 1,000 eBTC, then deposited 45 of those tokens, worth around $3.45 million, into the DeFi lending protocol Curvance as collateral. 

Against that position, the attacker borrowed 11.3 wrapped Bitcoin worth $868,000, bridged the tokens to Ethereum, swapped them for ETH, and sent 384 ETH, worth about $822,000, to the Tornado Cash mixing service.

Blockchain security firm PeckShield put the extracted amount at roughly $821,700 through that laundering route. The remaining 955 eBTC, worth approximately $73 million on paper, could not be easily converted. 

DefiPrime founder Nick Sawinyh noted the tokens appeared stranded because Monad’s current lending and decentralized exchange liquidity could not absorb an exit of that size.

Echo Protocol’s investigation found the incident was caused by an attack on an administrator key tied to its Monad deployment. 

The team said it regained control of that key and burned the remaining 955 eBTC held by the attacker.

What Security Researchers Found in Echo’s Design

The eBTC contract worked exactly as designed, researchers noted. The vulnerabilities identified included a single signature for the admin role, no timelock, no minting supply cap or rate limit, and no supply check by Curvance on freshly minted collateral.

Blockchain developer Marioo described the incident as a compromised admin private key, not a smart contract bug, placing it closer to an operational failure than a technical defect.

Curvance and Monad Draw Clear Lines

Curvance said in a statement: “At approximately 6:00 PM EST, we were made aware of an anomaly detected in the Echo eBTC market on Curvance. At this time, there is no indication of any compromise with Curvance’s smart contracts. 

Due to Curvance’s fully isolated market architecture, no other markets are impacted. Out of an abundance of caution, the affected market has been paused while our team actively investigates the situation alongside ecosystem partners.”

Monad co-founder Keone Hon said the blockchain itself continued operating normally and had not been breached. He added on X: “Security researchers in their review have determined that ~$816,000 appears to have been stolen as a result of this exploit of @EchoProtocol_’s eBTC.”

Echo Protocol confirmed the Monad network was not affected, stressed that the incident was not caused by a problem with the chain, and said the breach appeared limited to the Monad deployment with no evidence that its Aptos deployment was affected. 

The protocol added that Aptos-based aBTC and Monad-based eBTC are separate assets and do not support bridging between each other.

Where the Third Major DeFi Breach in Five Days Leaves Users

The Echo Protocol exploit was the third major DeFi hack in five days. THORChain confirmed a vault breach on May 15 that drained more than $10 million. 

Three days later, security researchers flagged an exploit of the Verus-Ethereum Bridge, in which attackers drained roughly $11.58 million in digital assets.

PeckShield reported that hackers have stolen roughly $328.6 million from eight bridge-related attacks so far in 2026, with the largest breach striking Kelp DAO in April, when attackers drained nearly $292 million in rsETH from its bridge infrastructure.

Echo Protocol said it has temporarily suspended cross-chain functions tied to the Monad deployment and is upgrading its EVM bridge contract and permission control system. 

The team also urged users not to interact with any compensation, refund, or recovery pages not posted through official channels.

No timeline for resuming bridge operations has been confirmed. A full postmortem from Echo Protocol or an independent security partner has not yet been published as of May 19, 2026.