Echo Protocol suffered a breach on Monad this week when an attacker used a compromised admin key to mint 1,000 fake eBTC — worth $76.7 million on paper. The real damage was far smaller: the attacker managed to extract about $816,000 in actual value by using 45 of those fake tokens as collateral on Curvance, borrowing real WBTC, and laundering the proceeds through Tornado Cash. The exploit wasn't a smart contract bug; it came down to weak operational controls around a privileged key.
The exploit: a stolen key, not broken code
The attacker didn't find a re-entrancy bug or manipulate an oracle. They got hold of Echo Protocol's admin key on Monad and used it to mint fake eBTC at will. That's the kind of vulnerability that multisig setups, timelocks, and mint caps are meant to prevent — none of which Echo had in place. Monad's network itself wasn't compromised; the failure was entirely at the protocol level.
After minting, the attacker deposited 45 fake eBTC into Curvance's isolated market for that asset. Curvance's design limited the blast radius: only the eBTC pool was affected. The attacker borrowed real WBTC against the fake collateral, bridged to Ethereum, swapped for ETH, and then used Tornado Cash to obscure the trail. The whole operation netted about $816,000 in real crypto.
Why the $76.7M headline number is misleading
The $76.7 million figure represents the paper value of all 1,000 fake eBTC at the time of minting. But Monad's thin liquidity meant the attacker couldn't cash out anywhere close to that. They only used 45 tokens as collateral, and even then, the actual lending limit on Curvance capped the real-world haul. Echo Protocol burned the remaining 955 fake eBTC and paused affected functions after the incident. The gap between paper loss and real loss is a reminder that liquidity matters — a lot — when assessing exploit severity.
2026 is already a brutal year for DeFi security
This breach fits a grim pattern. According to DefiLlama, DeFi losses topped $1 billion in the first four months of 2026. April alone saw $634 million across 28+ incidents — the worst month on record. Drift ($285M) and KelpDAO ($292M) accounted for over $577 million of that, and neither was a code exploit.
The data shows that the biggest threats in 2026 aren't smart contract bugs. LayerZero bridge exploits lead at 18% of losses, followed by compromised admin keys (16%), spoof tokens (14%), and private key compromises (11%). Classic re-entrancy and oracle manipulation now make up a minimal share. The Echo Protocol incident is a textbook admin-key hack — and the attacker didn't even need to be a skilled developer.
Echo Protocol has burned the remaining fake supply and paused the affected functions. Curvance's isolated market design prevented the damage from spreading beyond eBTC. But the underlying problem — single-key admin control with no timelock or rate limit — isn't fixed yet. Echo hasn't announced a timeline for resuming normal operations or upgrading its key management. Given the 2026 trend, this won't be the last admin-key story we write.
