Echo Protocol exploit sparks alarm after $73M eBTC mint

The Bitcoin DeFi project Echo fell victim to an exploit on Monday. Blockchain security platform Lookonchain shows a hacker minted 1,000 eBTC ($76.64M) on Monad, and then collateralized 45 eBTC on Curvance to borrow 11.29 WBTC worth $867,700. The attacker later redirected the assets to Ethereum and converted them to native ETH while funneling 384 ETH into Tornado Cash.

The attacker’s wallet still retains 955 eBTC of the fake supply, which the platform estimates is worth about $73.2 million. Blockchain firm OnChain Lens even confirmed: “The attacker still appears to control a significant amount of minted eBTC.”

The incident comes as the DeFi sector continues to grapple with a rising wave of protocol breaches and private key compromises.

Curvance says the exploit only affected Monad’s eBTC/WBTC market

Monad and Curvance have both now publicly recognized the exploit. Monad Co-founder Keone Hon posted on X:

In another post, the founder noted they had lost about $816,000 to the exploit. Curvance also shared, “Out of an abundance of caution, the affected market has been paused while our team actively investigates the situation alongside ecosystem partners.”

It also asserted that the attack was contained to Monad’s eBTC/WBTC market. Other Curvance pools and major cross-chain platforms, including Aave, Morpho, Spark, and Fluid, were untouched. Although it isn’t known exactly how the attacker managed to mint eBTC, experts suggested it could be due to a private key compromise, a deployment error, or a smart contract flaw.

The attacker opted against a 1,000 eBTC DEX market dump to avoid the severe slippage caused by Monad’s shallow liquidity pool. Instead, they executed a lending-based extraction method, replicating the strategy used to siphon funds from Resolv and KelpDAO before.

Have hackers been targeting more DeFi platforms?

According to DeFiLlama, the DeFi space had already suffered 13 hacks this month before the Echo Protocol exploit. The Echo Protocol is also the third major decentralized finance platform to fall victim to an exploit in the last five days.

As earlier reported by Cryptopolitan, THORChain was compromised on May 15, and hackers pocketed more than $10 million. THORChain suspended trading after the incident, reassuring users that only protocol-owned funds were affected. It acknowledged it “automatically detected abnormal behavior and halted signing activity,” which prevented more outbound transactions.

Speaking on the attack, on-chain investigator ZachXBT said the exploiter targeted the platform across Bitcoin, Ethereum, BNB Chain, and Base.

A subsequent exploit hit the Verus-Ethereum Bridge three days later, resulting in the loss of $11.58 million in digital assets. Security researchers at Blockaid traced the exploit to the wallet address “0x5aBb…D5777.” Blockchain security firm Peckshield also detailed that the exploiter made off with 103.6 tBTC, 1,625 ETH, and 147,000 USDC, later converting the assets into about 5,402 ETH.

Another security firm reporting the attack, GoPlus, noted, “It is highly likely to be cross-chain message validation/signature forgery, withdrawal logic bypass, or access control flaw.” Meanwhile, the Verus team contended that it’s still investigating the incident.

DeFi platforms have become a prime target for attackers in the last few years. DeFiLlama estimates that uninsured lending protocols have suffered $7.7 billion in exploit-related losses over the past 6 years. More than $600 million was lost to hacks this April, with Drift and KelpDAO taking major hits.

More recently, Nexus Mutual’s Founder, Hugh Karp, even highlighted that many of the latest hacks were caused by operational failures, pointing to a mismatch between risk and insurance coverage.

If you're reading this, you’re already ahead. Stay there with our newsletter.