
Sophia Bennett
Crypto Analyst
At first glance, the number is alarming. $76.7 million in Bitcoin‑backed tokens minted out of thin air on a live DeFi protocol. Look closer, and the actual theft was far smaller, but the security failure behind it is one the whole industry needs to understand.
Bitcoin‑focused DeFi protocol Echo was hit by an exploit on its deployment on the Monad blockchain after an attacker minted 1,000 unauthorized eBTC worth approximately $77 million, with around $816,000 ultimately laundered through coin mixer Tornado Cash.
The widely cited $76.7 million figure reflected the temporary value of the unauthorized eBTC mint, not confirmed stolen funds. The distinction matters, but it does not make the breach any less serious.
How the Attack Actually Unfolded
The mechanics of the exploit were precise and deliberate.
The attacker minted 1,000 eBTC, Echo Protocol's Bitcoin liquidity token issued on Monad, and deposited 45 eBTC worth $3.45 million into DeFi lending protocol Curvance as collateral to borrow around 11.29 WBTC worth roughly $867,700.
After securing the borrowed assets, the attacker bridged the WBTC to Ethereum, swapped the tokens into ETH, and later routed 385 ETH through Tornado Cash, according to on‑chain investigators. PeckShield separately estimated that 384 ETH worth around $822,000 had already been transferred to the crypto mixing service.
The attacker was methodical, mint fake tokens, use them as collateral, borrow real assets, move the real assets out, obscure the trail.
The Root Cause Was Not a Smart Contract Bug
This is the most important detail of the entire incident, and the one that carries the widest implications.
Echo Protocol confirmed the breach, saying its investigation indicates the issue originated from a compromised admin key affecting the Monad deployment. The eBTC contract worked exactly as designed.
Security experts pointed out that Echo Protocol relied on a single Externally Owned Account with full administrative privileges. The protocol lacked essential security measures including multi‑signature wallets for admin functions. This created a single point of failure that made unrestricted minting possible.
Blockchain developer Marioo said the root cause was operational, not technical, noting the vulnerabilities included a single signature for the admin role, no timelock, no minting supply cap or rate limit, and no supply sanity check by Curvance for the freshly minted collateral.
One key, no backup controls, no circuit breakers. The contract did exactly what it was told. The problem was who was telling it.
Monad and Curvance Were Not Breached
Two important points of clarity emerged quickly.
The Monad network itself was not impacted and continues to operate normally. Echo said the incident appears isolated to Monad with no evidence of compromise on Aptos.
Curvance paused the affected market while teams investigated. The platform stressed that the attack did not directly break its core smart contracts, and due to Curvance's fully isolated market architecture, no other markets were impacted.
Echo Regained Control and Burned the Remaining Tokens
Echo said it successfully regained control of its admin keys and burned the remaining 955 eBTC that was in the attacker's possession. That burned supply can no longer be used as collateral or bridged out, effectively capping the realised damage at the $816,000 already laundered.
Following the news, Echo Protocol's native token fell by around 11 to 12%.
The 14th Hack of May, And a Pattern That Won't Go Away
The incident raised May's running tally of crypto hacks to 14.
Security firm PeckShield said hackers have stolen roughly $328.6 million from eight bridge‑related attacks so far in 2026. The biggest breach struck Kelp DAO in April, when attackers drained nearly $292 million in rsETH from its bridge infrastructure.
The exploit follows a familiar admin‑key pattern that has plagued cross‑chain protocols, where a single compromised credential can unlock minting privileges across an entire deployment.
The lesson from Echo Protocol is not about Monad, Curvance, or eBTC specifically. It is about a failure mode that keeps appearing across DeFi, centralised admin control with no safeguards. Until protocols treat key management with the same rigour they apply to smart contract audits, this story will keep repeating.
