Taiko's bridge and ERC20 Vault on Ethereum were hit by an exploit that let an attacker forge proofs and drain roughly $1.7 million in unauthorized withdrawals. The project urged users to pull their funds from the affected contracts as soon as possible.
A verification bypass
The breach targeted Taiko's chain state verification mechanism — the system that checks whether data coming from the layer-2 actually matches what's recorded on Ethereum. By compromising that check, the attacker was able to submit forged proofs that the bridge accepted as legitimate. That opened the door to withdrawals that should never have been allowed.
Taiko didn't immediately detail how the verification mechanism was broken, or whether a specific vulnerability in the smart contract code was to blame. But the result was clear: roughly $1.7 million in assets moved out of the vault without authorization.
Withdrawals urged
After confirming the incident, Taiko told users to withdraw any remaining funds from the bridge and the ERC20 Vault. The message was blunt: don't leave money in the compromised contracts. The team didn't say whether a fix had been deployed or if withdrawals were still possible at the time of the announcement.
For anyone who had assets locked in the bridge, the warning was effectively an order to move fast. The longer funds sat in the vulnerable contracts, the higher the risk of further losses.
It's not the first time a layer-2 bridge has been hit by a proof verification flaw. The attack vector — tricking the bridge into accepting fraudulent state data — has been used against other projects in the past. But for Taiko, which launched its mainnet only last year, the timing is especially painful.
As of this writing, Taiko has not said whether it plans to reimburse affected users or pursue recovery of the stolen assets. The exploit's aftermath will likely hinge on how quickly the team can patch the verification mechanism and whether any of the drained funds can be traced.
