The Bitcoin liquidity protocol Echo Protocol suffered a security incident on the Monad chain. The attacker first unauthorized minted 1,000 eBTC, then used a portion as collateral to borrow assets and transferred them cross-chain. The project team stated that, based on current investigations, the actual affected amount is approximately $8.16 million.
The attack vector involves minting and cross-chain transfers.
On-chain security firm PeckShield, citing researcher information, stated that the attacker minted approximately $76.7 million worth of eBTC and deposited 45 eBTC into Curvance. Subsequently, the attacker borrowed about 11.29 WBTC, transferred them to Ethereum, converted them to ETH, and ultimately sent 384 ETH to Tornado Cash.
The Echo Protocol later confirmed on social media that the issue stemmed from compromised administrative keys affecting Monad's deployment. The team stated that the Monad network itself was unaffected and continues to operate normally.
The project team claims to have regained management control.
Echo Protocol stated that the team has regained control of the management keys and has destroyed the remaining 955 eBTC held by the attacker. The project team also emphasized that, based on current findings, the incident is limited to the Monad deployment, with no evidence of compromise on Aptos.
The project team also clarified that eBTC on Monad and aBTC on Aptos are two separate assets that cannot be directly bridged. The current exposure on the Aptos side is approximately $71,000, spread across the Echo lending market and the Hyperion liquidity pool, with no confirmed loss of funds to date.
Cross-chain functionality has been suspended.
As an emergency measure, Echo Protocol has suspended the cross-chain functionality of the Monad deployment and completed the associated contract upgrade to restrict affected operations and enhance control over sensitive permissions. Although no anomalies have been detected on the Aptos side, the team has also suspended the Aptos bridge and terminated the Echo Aptos Lending service.
The project team also stated that they are upgrading their EVM series bridge deployment to further enhance cross-chain control and reduce operational risk.
This incident once again highlights DeFi protocols' reliance on off-chain infrastructure and centralized key management. Recently, THORChain, TrustedVolumes, and KelpDAO have also experienced security incidents, once again drawing attention to the operational and permission management risks of DeFi protocols.