On May 18, 2026, an attacker minted 1,000 eBTC worth $77 million using unauthorized role manipulation on Monad's Echo Protocol. They converted about $870,000 of the tokens to WBTC through Curvance, but 99% of the stolen funds remain frozen. The breach echoes two earlier 2026 exploits with smaller losses.
How the Attack Unfolded
The attacker first granted themselves DEFAULT_ADMIN_ROLE on Echo Protocol. They then assigned MINTER_ROLE before executing a mint transaction. The tokens went to address 0x6a01 and the transaction hash was 0x2cc973. Admin privileges got revoked immediately after to hide access. No official statement came from Echo Protocol or Curvance.
The Frozen $76 Million
Ninety-nine percent of the minted eBTC sits idle in the attacker's wallet. Monad's limited lending and DEX liquidity prevents moving large amounts. Only a tiny fraction got converted when the attacker deposited 45 eBTC as collateral on Curvance. They borrowed 11.296 WBTC in return. The rest simply can't be moved.
Deja Vu in DeFi
This is the third major role-based exploit in four months. March’s Resolv USR breach had a similar pattern but 30 times larger losses. April’s KelpDAO rsETH incident followed the same blueprint. The attacker used identical role manipulation tactics each time. The timing isn’t great for Monad’s security reputation.
Unclear Path Forward
Community members are pointing to Echo Protocol as the source, but no public confirmation exists. Curvance hasn’t explained the collateral interaction either. With both teams silent, the frozen funds could stay locked for weeks. The next concrete step would be an official statement naming the exploited contract.
