Decentralized finance protocol Echo Protocol was exploited after an attacker minted approximately 1,000 unauthorized eBTC on the Monad blockchain, worth around $77 million.
Blockchain security firm PeckShield reported the incident Tuesday, noting the hacker minted 1,000 synthetic Bitcoin (eBTC) worth about $76.7 million. The attacker attempted to launder some of the funds by depositing 45 eBTC into DeFi lending protocol Curvance, then borrowing 11.3 wrapped Bitcoin, bridging to Ethereum, swapping for ETH, and funneling 384 ETH through Tornado Cash.
The hacker still holds 955 eBTC worth approximately $73 million.
Echo Protocol is a Bitcoin DeFi platform focused on liquidity aggregation and yield generation, deployed on Monad, a high-performance layer-1 EVM-compatible blockchain.
Blockchain developer “Marioo” identified the root cause as an admin private key compromise, not a smart contract bug. The eBTC contract worked as designed, but vulnerabilities included a single signature for the admin role, no timelock, no minting supply cap, and no supply sanity check by Curvance.
Curvance confirmed no compromise with its own smart contracts and paused the affected market. Monad co-founder Keone Hon clarified the Monad network remains unaffected and operating normally.