news

Echo Protocol Loses $77M in eBTC Exploit Linked to Admin Key Compromise

Nidhi Saini
Published: May 19, 2026
(Updated: May 19, 2026)
5 min read
Echo Protocol Loses $77M in eBTC Exploit Linked to Admin Key Compromise

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Make us preferred on Google

Summary:

  • Echo Protocol suffered a major exploit after an attacker minted 1,000 unauthorized eBTC worth roughly $76.7 million.
  • Early findings suggest the issue was caused by an admin private key compromise, not a smart contract flaw.
  • The attacker has already moved part of the stolen funds through Tornado Cash, laundering nearly 5% of the total amount.
  • Roughly 955 eBTC worth around $73 million remains in the attacker's wallet.
  • Monad confirmed its blockchain infrastructure remains unaffected.
  • The exploit adds to a difficult year for DeFi, with multiple major attacks already recorded in 2026.

Another major DeFi exploit has landed at a time when the sector is already under heavy pressure. Bitcoin liquidity protocol Echo Protocol confirmed a serious security incident after an attacker minted around 1,000 synthetic Bitcoin (eBTC) without authorization, creating losses estimated at $76.7 million. The exploit was first flagged Tuesday by blockchain security firm PeckShield and onchain analytics platform Lookonchain, both of which traced suspicious minting activity tied to the protocol's bridge infrastructure on Monad, the high-performance EVM-compatible layer-1 blockchain where Echo is deployed.

Source : PeckShield report

Echo quickly acknowledged the incident and temporarily halted all bridge-related activity while its team investigates what happened.

"We are currently investigating a security incident impacting the Echo bridge on Monad. All cross-chain transactions remain suspended while the investigation is underway," Echo Protocol said.

That immediate pause was likely necessary to prevent additional unauthorized transfers while forensic teams reviewed internal controls and wallet activity. For users unfamiliar with Echo, the protocol focuses on Bitcoin liquidity aggregation and yield generation. It allows users to deposit BTC-based assets and receive eBTC, a synthetic Bitcoin asset designed for staking, restaking, bridging, and broader DeFi use. The model depends heavily on trust in minting controls. Once those controls fail, confidence can disappear quickly. This exploit arrives during one of the roughest periods DeFi has faced this year. At least 12 separate protocols have been compromised this month alone, including incidents involving THORChain, Verus Protocol's Ethereum bridge, Transit Finance, TrustedVolumes, and Ekubo. That pattern is becoming difficult to ignore. The weak points are shifting away from pure contract code and increasingly toward infrastructure operations and privileged access systems.

Attack Flow Shows Laundering Attempts Through Curvance and Tornado Cash

According to PeckShield's onchain investigation, the attacker did not immediately dump the newly minted eBTC. Instead, they used a more calculated route. The attacker deposited 45 eBTC worth approximately $3.45 million into DeFi lending protocol Curvance, then borrowed wrapped Bitcoin against that collateral. PeckShield explained:

"The hacker minted 1k $eBTC ($76.7M) &, utilizing the tested flow, deposited 45 $eBTC ($3.45M) into Curvance. They then borrowed 11.29 $WBTC ($867.7K) against it, bridged the $WBTC to #Ethereum, swapped them for $ETH, and sent 384 $ETH ($821.7K) to #TornadoCash. " Source

That process allowed the attacker to convert a portion of synthetic collateral into liquid ETH before sending 384 ETH, worth roughly $822,000, through Tornado Cash. It's a common laundering path for attackers seeking to break transaction traceability. According to wallet tracking data from DeBank, the attacker still controls 955 eBTC worth around $73 million. That means only a small fraction of the exploit has actually been cashed out so far. This leaves investigators with an opportunity to monitor movement and possibly coordinate with exchanges or analytics firms if liquidation attempts begin. Meanwhile, Curvance clarified that its own contracts were not exploited. The team stated it detected the unusual collateral behavior, paused the affected market, and began internal review. Curvance statement:

Source

Freshly minted collateral was accepted without deeper supply validation. That kind of assumption can create dangerous knock-on effects across interconnected DeFi systems.

Private Key Failure Highlights DeFi's Growing Operational Security Problem

Early technical analysis suggests the exploit was not caused by broken smart contract logic. Blockchain developer Marioo reported that the root issue appears to be an admin private key compromise. According to their review, the eBTC contract itself functioned correctly. The real problem was operational design. The protocol reportedly relied on a single-signature admin role, with no timelock, no minting cap, no rate limiter, and no supply sanity checks before collateral could enter connected protocols. That meant whoever gained access to the admin key effectively gained unrestricted mint authority. Marioo described the failure as "operational, not technical." Smart contract audits can catch code flaws. They cannot fix weak operational controls. Monad co-founder Keone Hon also moved quickly to separate the incident from the underlying network itself. He stated:

"the Monad network is not affected and is operating normally Security researchers in their review have determined that ~$816,000 appears to have been stolen as a result of this exploit of @EchoProtocol_ 's eBTC" Source 

That clarification is important for ecosystem confidence. The exploit was isolated to Echo's application-layer security model. Still, the timing is difficult. The broader DeFi industry is already facing rising pressure after several major breaches this year, including Drift Protocol's $285 million exploit and Kelp DAO's $292 million loss in April. Together, these incidents show the same uncomfortable truth. Echo Protocol says further updates will be shared through official channels as investigations continue. For now, the attacker still holds most of the minted eBTC.

READ MORE: THORChain Issues $10M Exploit Update, Warns Users Over Fake Refund Claims

Related Topics

#Echo Protocol#eBTC Exploit#Admin Key Compromise#eBTC

About the Project

Bitcoin

About the Author

Nidhi Saini

Nidhi Saini

Nidhi Saini is a writer and co-founder of CotiNews, with over four years of experience working in Web3 marketing. She brings a practitioner’s perspective to her writing, shaped by years spent understanding how blockchain products are positioned, communicated, and adopted. As a co-founder, she is also involved in shaping the platform’s editorial direction, ensuring the publication stays thoughtful, credible, and grounded.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.