Echo Protocol Exploited for $77M in Unauthorized eBTC Mint, $816K Laundered via Tornado Cash

Bitcoin liquidity aggregation and yield infrastructure layer, Echo Protocol, was hit by an exploit on its deployment on the Monad blockchain after an attacker minted 1,000 unauthorized eBTC worth approximately $77 million, with around $816,000 ultimately laundered through coin mixer Tornado Cash.

Blockchain security firm PeckShield flagged the incident, citing onchain sleuth dcfgod, noting the attacker "minted 1k $eBTC ($76.7M) &, utilizing the tested flow, deposited 45 $eBTC ($3.45M) into Curvance."

The hacker then borrowed approximately 11.29 WBTC ($867,700) against the collateral, bridged the WBTC to Ethereum, swapped them for ETH, and sent 384 ETH (~$821,700) to Tornado Cash.

Echo Protocol confirmed the breach in a Tuesday tweet, saying its investigation "indicates the issue originated from a compromised admin key affecting the Monad deployment."

"Based on current findings, approximately $816K was impacted on Monad. The Monad network itself was not impacted and continues to operate normally," the team said, adding it has "successfully regained control of our admin keys and burnt the remaining 955 eBTC that was in the attacker's possession."

Decrypt has reached out to Echo Protocol for comment.

The exploit follows a familiar admin-key pattern that has plagued cross-chain protocols, where a single compromised credential can unlock minting privileges across an entire deployment.

Echo said the incident "appears isolated to Monad," with "no evidence of compromise on Aptos."

The team noted that aBTC on Aptos and eBTC on Monad are separate, non-bridgeable assets, with current Aptos exposure limited to approximately $71,000 across Echo lending markets and Hyperion liquidity pools, and no confirmed loss of funds on that chain.

eBTC is Echo's wrapped Bitcoin representation on Monad, while aBTC is its counterpart on Aptos, both designed to bring BTC liquidity into DeFi applications on those chains.

Misha Putiatin, co-founder of Symbiotic and smart contract security firm Statemind, told Decrypt that the industry should expect more incidents of this kind as protocols lean harder on off-chain components.

"As DeFi protocols become increasingly dependent on off-chain infrastructure, we're likely to see a resurgence of 'Web2.5' style attacks targeting centralized key management, databases, and operational infrastructure," Putiatin said.

Calling it a “balancing act,” he said systems with “more involved management” become increasingly vulnerable to social engineering and infrastructure attacks compared with “fully permissionless systems.”

Putiatin said centralized and off-chain components of DeFi protocols have historically been "treated as secondary risk areas," but expects that to shift.

"We'll likely see far more focus on operational infrastructure, key management, and internal security frameworks, similar to how smart contract audits became standard after the 2021 exploit cycle," he said.

Precautionary measures

Echo has paused cross-chain functionality for the Monad deployment and completed an upgrade of the relevant Monad contracts "to restrict affected operations and strengthen control over sensitive functions."

The Aptos bridge has been fully paused as a precaution despite no observed impact, and Echo Aptos Lending has been suspended for security.

The team said it is also upgrading its EVM-series bridge deployments "to further strengthen cross-chain controls and reduce operational risk."

Attacks on DeFi

The Echo Protocol breach adds to mounting pressure on DeFi security after recent exploits at THORChain and TrustedVolumes, as well as last month's $293 million infrastructure-linked attack on KelpDAO, attributed to North Korea's Lazarus Group.