An attacker minted 1,000 eBTC — worth roughly $77 million at current bitcoin prices — on the Echo Protocol's Monad deployment late on May 18, then managed to convert just $870,000 of that into real WBTC before running into a dead end. The remaining ~99% of the bogus supply is still sitting in the attacker's wallet, stuck because Monad's lending pools and DEX liquidity simply can't absorb it.
How the attacker pulled it off
The exploit wasn't a flash loan or an oracle trick. It was a role-manipulation chain inside the eBTC token contract. According to on-chain data flagged by X user @dcfgod, the attacker granted themselves the DEFAULT_ADMIN_ROLE, then the MINTER_ROLE, revoked admin access, and minted 1,000 eBTC to address 0x6a0109d3c5ab56277096c75e8f5d1d1d45243415. The mint transaction landed in Monad block 75,477,995.
The cashout sequence was methodical: the attacker deposited roughly 45 eBTC into Curvance as collateral, borrowed about 11.296 WBTC across several transactions, then bridged the WBTC off Monad — likely via LayerZero. That's where the $870K in realized proceeds came from.
Why the big balance is stuck
Monad is a young, high-performance EVM L1, and fresh deployments on it tend to lack the operational safety nets — multisig admin keys, timelocks, monitoring, privileged role separation — that equivalent Ethereum contracts have accumulated over years. The attacker's $76 million in remaining eBTC can't be swapped or borrowed because the protocol's liquidity is too shallow. It's a case where DeFi's typical leverage cut both ways: the attacker couldn't find enough exit liquidity.
The same pattern, smaller scale
This exploit follows the same playbook as the Resolv USR exploit in March and the KelpDAO rsETH exploit in April. But the realized loss here — $870K — is about 30× smaller than Resolv and over 250× smaller than KelpDAO. That's cold comfort for the protocol, but it highlights how quickly access control bugs can be weaponized once a pattern is known.
Unanswered questions: the admin key
How the attacker got the DEFAULT_ADMIN_ROLE in the first place is still unexplained. Possibilities include a compromised admin private key, a misconfigured initial deployment, or a contract-level access control bug. Monad co-founder @keoneHD acknowledged the incident and said the team and external researchers are investigating. As of press time, neither Echo Protocol nor Curvance had issued official statements.
The immediate question is whether the stuck $76 million can ever be recovered — or whether it'll sit frozen in that wallet until someone figures out a way to burn or reclaim it. The broader takeaway for the Monad ecosystem: young chains without battle-tested operational security are a prime target for the same attack vectors that hit Ethereum years ago.
