An attacker minted 1,000 eBTC on Monad late Monday, worth about $77 million at spot, then converted roughly $870,000 of that into real WBTC and bridged it off the chain. The rest — nearly $76 million in minted eBTC — is still sitting in the exploiter's wallet, unable to be moved because Monad's lending pools and DEXs don't have enough depth to absorb it.
The exploit mechanics
The attacker didn't break any DeFi math or oracle logic. They simply gave themselves DEFAULT_ADMIN_ROLE, then MINTER_ROLE, and minted the eBTC directly to their address. That's a privileged-role failure — someone with access to the admin key, or a misconfigured contract, handed the attacker the keys to the minting function.
From there, they deposited about 45 eBTC as collateral on Curvance, borrowed ~11.296 WBTC, and bridged it off Monad. A clean, fast exit for that slice. The rest couldn't follow because Monad's liquidity stacks are still thin — the chain only opened to deployments earlier this year.
Familiar pattern
The role-abuse angle looks a lot like two recent hits. Resolv's USR exploit in March and KelpDAO's rsETH exploit in April both involved someone obtaining DEFAULT_ADMIN_ROLE and minting tokens they weren't supposed to. The realized loss here is roughly 30× smaller than Resolv and over 250× smaller than KelpDAO, but the playbook is the same.
Monad co-founder @keoneHD acknowledged the incident on X, saying the team and external security researchers are investigating. He didn't offer specifics on how the attacker got the role.
Unanswered questions
The root cause is still unknown. Could be a compromised admin key, a deployment misconfiguration, or a contract-level bug. Echo Protocol — the Bitcoin liquidity and yield project behind eBTC — hasn't published a statement. Neither has Curvance, the omnichain lending protocol that the attacker used to bridge out the WBTC.
Who held the DEFAULT_ADMIN_ROLE on the eBTC contract? That's the question that needs answering. If it was a single multisig signer, that's a procedural failure. If it was the contract itself, that's a code bug. Either way, the silence from Echo and Curvance isn't helping.
What's left on the table
The attacker's wallet still holds ~99% of the minted eBTC — about $76 million. It's not going anywhere soon. Monad's lending and DEX depth simply can't absorb a sell that size without cratering the price. The exploiter effectively turned their loot into a illiquid bag.
That might give the team some time to figure out a freeze or a recovery path, but only if they can trace the original admin compromise. Until that's clear, $76 million in eBTC is just sitting there, waiting.
