Echo Protocol is investigating a security incident involving its bridge on Monad after an attacker exploited a compromised admin key to mint 1,000 eBTC and drain roughly $816,000 in value. The attacker used part of the minted tokens to extract WBTC liquidity through Curvance, then bridged the stolen funds to Ethereum and deposited into Tornado Cash. The total crypto market cap stood at $2.54 trillion at press time.
How the attack played out
On-chain analyst DCF GOD first raised the alarm, posting that Echo 'may be hacked on Monad' and that someone minted 1,000 eBTC out of nowhere, max borrowed WBTC against it on Curvance, bridged, and tornado away. Lookonchain later detailed the flow: the attacker minted 1,000 eBTC valued at about $76.64 million, deposited 45 eBTC ($3.45 million) into Curvance, borrowed 11.3 WBTC ($867,000), bridged WBTC to Ethereum, swapped for 385 ETH ($821,000), and deposited the ETH into Tornado Cash. At the time of the alert, the attacker still held 955 eBTC worth roughly $73.2 million.
Phylax Systems founder Odysseas Lamtzidis said the transaction trail pointed to a role-management compromise on the eBTC side, not a Curvance lending bug. He detailed that the eBTC admin granted DEFAULT_ADMIN_ROLE to an address that then revoked admin, self-granted MINTER_ROLE, minted 1,000 eBTC, posted 45 eBTC as collateral, and borrowed about 11.296 WBTC.
Echo and partners respond
Echo Protocol confirmed the incident and suspended all cross-chain transactions while the investigation is underway. Curvance paused the affected eBTC market, stating there was no indication its smart contracts were compromised and that other markets were isolated. Monad CEO Keone Hon clarified that the Monad network itself was not affected and was operating normally, and that roughly $816,000 appears to have been stolen. Echo later confirmed the issue originated from a compromised admin key affecting the Monad deployment, and said it had regained control of admin keys and burned the remaining 955 eBTC.
A week of bridge attacks
The Echo incident caps a rough stretch for cross-chain bridges. On May 15, THORChain lost over $10 million in a separate exploit. The Verus-Ethereum Bridge was drained for about $11.5 million earlier the same week. The repeated hits underscore how admin key compromises remain one of the most effective attack vectors in DeFi — even when the underlying bridge code itself is sound.
Echo says its investigation is ongoing. The protocol has not yet announced a timeline for resuming cross-chain transactions.
