Echo Protocol, a Bitcoin-focused DeFi project on the high-performance Monad blockchain, has suffered a major security breach. According to blockchain security firm PeckShield and on-chain analysts, an attacker minted approximately 1,000 unbacked eBTC tokens valued at around $76.7 million. The exploiter then used a portion of these synthetic assets as collateral to borrow real value before laundering funds through Tornado Cash.
The attack was first publicly flagged by on-chain analyst @dcfgod, who noticed anomalous minting activity on the Echo bridge. PeckShieldAlert subsequently detailed the fund flow.
Echo Protocol has officially confirmed the incident, stating: “We are currently investigating a security incident impacting the Echo bridge on Monad. All cross-chain transactions remain suspended while the investigation is underway.”
We are currently investigating a security incident impacting the Echo bridge on Monad. All cross-chain transactions remain suspended while the investigation is underway.
We will continue to provide timely updates through our official channels as more information becomes…
— Echo Protocol (@EchoProtocol_) May 19, 2026
Simplified Attack Breakdown
The attacker gained control of Echo Protocol’s administrator private key. Using this access, they minted 1,000 fake eBTC tokens without any actual Bitcoin backing.
They deposited around 45 of these fake eBTC into the Curvance lending protocol on Monad as collateral. With this fake collateral, they borrowed 11.29 WBTC (worth roughly $867,000). The stolen WBTC was then bridged to Ethereum, swapped for ETH, and approximately 384 ETH ($822,000) was sent through Tornado Cash to hide the trail.
The attacker still holds the remaining 955 fake eBTC tokens, which have very limited real-world value since they are completely unbacked. The actual realized loss is estimated at around $816,000 to $822,000.
Positive Update: Echo Team Regains Control
Earlier today, Echo Protocol identified unauthorized activity involving eBTC on Monad that resulted in unauthorized minting and associated fund loss.
Our investigation indicates the issue originated from a compromised admin key affecting the Monad deployment. Based on current…
— Echo Protocol (@EchoProtocol_) May 19, 2026
In a swift and effective response, the Echo Protocol team has successfully regained control of the compromised administrative keys. They immediately took action by burning the attacker’s remaining 955 fake eBTC tokens.
This decisive step has prevented the attacker from using the remaining unbacked tokens for further borrowing or market manipulation. As a result, the potential damage has been significantly limited. Security experts now estimate the total realized loss from the incident at approximately $816,000, which is the amount the attacker successfully laundered through Tornado Cash.
Root Cause
The exploit was not caused by a flaw in the smart contract code, but by a compromised single admin private key. The attacker used this key to grant themselves powerful roles (such as DEFAULT_ADMIN_ROLE and MINTER_ROLE), revoke the original admin, and mint the unbacked eBTC.
Security experts, including SlowMist founder Yu Xian, have pointed out that Echo Protocol relied on a single Externally Owned Account (EOA) with full administrative privileges. The protocol reportedly lacked essential security measures such as:
- Multi-signature (multisig) wallets for admin functions
- Timelocks on critical operations
- Minting caps or rate limits on eBTC
- Proper separation of privileges
This created a single point of failure that made unrestricted minting possible, an issue that has also been seen in other cross-chain bridge designs where admin control is too centralized. A similar pattern of vulnerability was observed in another recent bridge-related exploit involving significant losses, which further highlights how these architectural risks continue to affect DeFi systems.
Official Responses
- Echo Protocol: Confirmed the security incident and suspended all cross-chain transactions while the investigation continues. They will provide timely updates through official channels.
- Curvance: Paused eBTC-related markets to prevent further damage. Their own contracts were not affected.
- Monad Network: Co-founder Keone Hon stated that the Monad blockchain itself is secure and unaffected.
Market Impact
Following the news, Echo Protocol’s native token fell by around 11-12%. This incident adds to the growing list of DeFi exploits in May 2026 and highlights the critical importance of proper key management and operational security in cross-chain projects.
Users are advised to revoke any approvals given to Echo Protocol or eBTC and monitor official updates closely. Further details on compensation or recovery are expected soon.
