Echo Protocol is investigating a security incident involving its bridge on Monad after crypto on-chain analysts said an attacker minted 1,000 eBTC and used part of the position to extract WBTC liquidity through Curvance.
The first public alarm came from on-chain analyst DCF GOD, who wrote that Echo “may be hacked on Monad.” He added: “Someone minted 1k ebtc out of nowhere, max borrowed wbtc against it on Curvance, bridged, and tornado away.” A follow-up post pointed to a Monad transaction showing a 1,000 eBTC transfer on May 18 at 21:21:32 UTC.
$76M Crypto Mint Sparks Alarm
Lookonchain later mapped the reported sequence in more detail. According to the account, the attacker minted 1,000 eBTC, valued at about $76.64 million, deposited 45 eBTC worth roughly $3.45 million into Curvance, borrowed 11.3 WBTC worth about $867,000, bridged the WBTC to Ethereum, swapped it for 385 ETH worth about $821,000, and deposited the ETH into Tornado Cash. Lookonchain said the attacker still held 955 eBTC, valued at about $73.2 million.
Phylax Systems founder and CEO Odysseas Lamtzidis said the transaction trail pointed away from a Curvance lending flaw and toward a role-management compromise on the eBTC side. “Monad eBTC/Curvance trace: not a Curvance lending bug,” he wrote. “The eBTC admin granted DEFAULT_ADMIN_ROLE to 0x6A0109, who revoked admin, self-granted MINTER_ROLE, minted 1,000 eBTC, posted 45 eBTC as collateral, and borrowed ~11.296 WBTC.” Lamtzidis said the pattern “looks like admin-key/role compromise,” citing key transactions for the admin grant, mint and borrow.
Echo confirmed the incident without publishing a root-cause analysis. “We are currently investigating a security incident impacting the Echo bridge on Monad. All cross-chain transactions remain suspended while the investigation is underway. We will continue to provide timely updates through our official channels as more information becomes available.” The suspension makes the bridge the immediate operational focus, not simply the lending market that processed the collateral.
Curvance’s exposure appears to have come through the affected Echo eBTC market. Curvance paused that market while the teams investigated, and cited Curvance as saying there was no indication its smart contracts had been compromised and that its isolated-market architecture meant other markets were not affected. Also, Monad’s network itself was not affected.
Monad CEO Keone Hon wrote via X: “To clarify, the Monad network is not affected and is operating normally. Security researchers in their review have determined that ~$816,000 appears to have been stolen as a result of this exploit of Echo Protocol’s eBTC.
The incident illustrates a familiar bridge-to-lending failure pattern. Once a bridged or synthetic asset is treated as valid collateral, even a partial conversion path can turn a supply-side failure into real liquidity loss. In this case, the eBTC mint was used to borrow WBTC, move it off Monad, convert it into ETH, and route the funds through a mixer before the broader notional position was fully monetized.
Echo’s next update will need to answer several market-facing questions: whether the unauthorized eBTC has been neutralized, whether Curvance faces bad debt from the WBTC borrow, which bridge permissions or contracts were involved, and when cross-chain transactions can safely resume. Until then, the eBTC market on Monad remains the key pressure point for users trying to assess whether the incident was contained or merely slowed.
The Echo exploit also lands during a rough stretch for crypto infrastructure. On May 15, THORChain has lost more than $10 million across Bitcoin, Ethereum, BNB Chain and Base, including 36.75 BTC and roughly $7 million in other assets. Days later, the Verus-Ethereum Bridge was drained for about $11.5 million, with reports saying the attacker took 103.6 tBTC, 1,625 ETH and 147,000 USDC before consolidating the haul into roughly 5,402 ETH. Echo now gives markets another reminder that bridge design, collateral acceptance and liquidity routing remain one of DeFi’s most exposed attack surfaces.
[UPDATE from X:] Echo Protocol confirmed: “Earlier today, Echo Protocol identified unauthorized activity involving eBTC on Monad that resulted in unauthorized minting and associated fund loss. Our investigation indicates the issue originated from a compromised admin key affecting the Monad deployment. Based on current findings, approximately $816K was impacted on Monad. The Monad network itself was not impacted and continues to operate normally.
Since detecting the incident, we have been actively investigating potential cross-chain exposure, coordinating with ecosystem partners, and implementing additional precautionary measures. We have successfully regained control of our admin keys and burnt the remaining 955 eBTC that was in the attacker’s possession.”
At press time, the total crypto market cap stood at $2.54 trillion.
