Echo Protocol suffered a security breach on Monad after an attacker gained control of an admin key and minted 1,000 eBTC (~$76.64M) without authorization. The newly created synthetic Bitcoin was immediately used as collateral on Curvance lending protocol to borrow 11.3 WBTC (~$867K), which was then converted to ETH and routed through Tornado Cash to obscure the trail. The incident marks the third major bridge exploit in as many days, exposing a structural weakness in how DeFi protocols accept bridged assets as collateral without proper validation mechanisms.
Admin Key Compromise Triggered Unauthorized Minting
On May 18 at 21:21:32 UTC, an attacker transferred control of Echo Protocol’s eBTC minting authority after compromising an admin key on Monad. Security analyst Odysseas Lamtzidis (Phylax Systems CEO) traced the attack sequence: the compromised account granted itself the MINTER_ROLE, minted 1,000 eBTC out of thin air, and deposited only 45 eBTC (~$3.45M) as collateral to Curvance. The remaining 955 eBTC (~$73.2M) was held in the attacker’s wallet. Echo Protocol confirmed in a statement that “the issue originated from a compromised admin key affecting the Monad deployment,” but has not disclosed how the key was compromised or when the compromise occurred.
Curvance Processed Loan Against Unsecured Collateral
The lending protocol accepted the freshly minted eBTC as valid collateral and approved a loan of 11.296 WBTC against it. On-chain analyst DCF GOD summarized the attack plainly: “Someone minted 1k ebtc out of nowhere, max borrowed wbtc against it on Curvance, bridged, and tornado away.” The attacker swapped 385 ETH (~$821K) and extracted approximately $816K in confirmed losses. Curvance stated no smart contract vulnerability existed in its lending system and that isolated-market architecture prevented contagion to other assets. Monad CEO Keone Hon clarified that “the Monad network is not affected and is operating normally,” isolating the failure to Echo’s bridge infrastructure.
Bridge Security Crisis Accelerates Across DeFi
Echo’s breach represents the third significant bridge exploit within days. THORChain lost $10M+ across multiple chains on May 15, with attackers stealing 36.75 BTC. Days later, the Verus-Ethereum Bridge was drained for $11.5M (103.6 tBTC, 1,625 ETH, 147,000 USDC). These incidents reveal a pattern: bridges mint or validate synthetic assets with insufficient governance checks, and downstream protocols accept them as collateral without real-time verification. Synthetic assets backed by compromised admin keys pose infinite minting risk. The crypto market cap stood at $2.54 trillion at press time, making bridge security failures increasingly material to systemic stability.
Investigation Ongoing; Cross-Chain Exposure Unclear
Echo Protocol has suspended all cross-chain transactions on Monad while investigating. Admin controls have been regained and 955 eBTC have been burnt post-incident. The root cause of the admin key compromise remains unreported. Full exposure across other chains and protocols accepting Echo’s synthetic assets has not been quantified. Until Echo publishes a complete forensic report, the scope of contagion risk and the timeline of the compromise will remain unknown to the broader DeFi ecosystem.
