Echo Protocol is investigating an unauthorized mint on its Monad deployment after on-chain sleuths flagged suspicious activity that briefly turned a synthetic BTC token into real liquidity.
What happened
- On May 18 on-chain analysts noticed 1,000 eBTC suddenly minted on Echo’s Monad deployment. Lookonchain mapped the attacker’s actions: they minted 1,000 eBTC (theoretically worth roughly $76M at BTC prices), deposited just 45 eBTC as collateral on Curvance, borrowed ~11.3 WBTC (≈ $867K), bridged that WBTC to Ethereum, swapped it for ~385 ETH (≈ $821K) and routed the funds through Tornado Cash. The attacker initially retained 955 eBTC.
- Initial public alarm came from analyst DCF GOD and a transaction timestamp was highlighted at May 18, 21:21:32 UTC.
Forensic signals: admin-key compromise
- Phylax Systems CEO Odysseas Lamtzidis and other researchers pointed away from a Curvance protocol bug and toward a role-management compromise on the eBTC side. On-chain traces reportedly show the eBTC admin granting DEFAULT_ADMIN_ROLE to an address, revoking its own admin, then that address self-granting MINTER_ROLE and minting 1,000 eBTC — a pattern consistent with an admin-key or role compromise rather than a lending exploit.
Protocol responses and losses
- Echo confirmed a security incident affecting its Monad bridge, suspended all cross-chain transactions and began an investigation. Curvance paused the affected eBTC market, saying its contracts and Monad’s network itself were not compromised and its isolated-market design protected other markets.
- Monad’s CEO Keone Hon stated the Monad network was operating normally and that roughly $816K appears to have been stolen as a result of the exploit — a figure consistent with the borrowed/withdrawn WBTC that was bridged and converted.
- In an update on X, Echo said its investigation indicates a compromised admin key in the Monad deployment. Echo reported regaining control of admin keys and burning the remaining 955 eBTC that had been in the attacker’s possession. The protocol put the impacted amount at approximately $816K on Monad.
Why it matters
- This incident follows a familiar bridge-to-lending failure mode: once a bridged or synthetic asset is accepted as collateral, even a partial conversion path can convert a supply-side mint into real liquidity loss. Here, the attacker monetized only a sliver of the synthetic supply (the borrowed WBTC), while most of the minted eBTC never reached the market and was later burned.
- The exploit arrives during a rough stretch for cross-chain infrastructure: earlier in May THORChain suffered losses of more than $10M across multiple chains, and the Verus-Ethereum bridge was drained for roughly $11.5M days later. Echo’s incident reinforces that bridge design, collateral acceptance and role/permission hygiene remain core DeFi attack surfaces.
Open questions ahead
- Key outstanding market questions include whether all unauthorized eBTC has been neutralized, whether Curvance will face bad debt from the WBTC borrow, which bridge permissions and contracts were involved, and when cross-chain transactions can safely resume. Echo says it will provide timely updates through official channels as its investigation continues.
Market snapshot
- At press time the total crypto market capitalization stood at about $2.54 trillion.
Read more AI-generated news on: undefined/news
