On May 18, an attacker exploited Echo Protocol's eBTC token on the Monad blockchain, minting 1,000 fake eBTC worth roughly $77 million. The attacker managed to convert about $870,000 of that into real WBTC before the rest got stuck in their wallet. The exploit follows a pattern of privileged-role failures seen in recent months, though the realized loss here is far smaller than similar incidents.
Inside the exploit
The attacker first gained DEFAULT_ADMIN_ROLE on the eBTC token contract, then granted themselves MINTER_ROLE. With that, they minted 1,000 eBTC in a single transaction (ID 0x2cc973...). From there, they deposited about 45 eBTC into Curvance, an omnichain lending protocol, and borrowed roughly 11.296 WBTC against it. The WBTC was then bridged off Monad, likely via LayerZero. The attacker's address is 0x6a0109d3c5ab56277096c75e8f5d1d1d45243415.
The stuck millions
The remaining 99% of the fake eBTC — about $76 million — is still sitting in the attacker's wallet. Monad's lending and DEX liquidity simply can't absorb that much. Curvance's lending logic wasn't the failure point; the problem was the eBTC contract itself. Echo Protocol, the Bitcoin liquidity and yield project behind eBTC, had not published a statement at the time of writing. Neither had Curvance.
A familiar failure mode
This exploit shares the same root cause as two earlier incidents this year: the Resolv USR exploit in March and the KelpDAO rsETH exploit in April. All three involved an attacker gaining privileged roles on a token contract and minting at will. The realized loss from this exploit is roughly 30 times smaller than Resolv's and over 250 times smaller than KelpDAO's. Still, the pattern raises questions about access control in young DeFi projects.
Waiting for answers
The first public flag came from @dcfgod on X. Monad co-founder @keoneHD acknowledged the incident shortly after. But neither Echo Protocol nor Curvance have issued statements. Monad, a high-performance EVM L1 that opened to wider deployments earlier this year, now has another exploit on its ledger. The attacker's wallet still holds the bulk of the fake eBTC — a ticking reminder that the real damage could have been much worse.
