An attacker minted 1,000 eBTC out of nothing on Echo Protocol’s Monad deployment on May 19 and walked away with $816,000. The protocol had no minting cap. Nobody caught it until the funds were already moving.

The breach was first flagged by on-chain researcher dcfgod, who posted on X that Echo Protocol on Monad may have been hacked, noting that someone had minted 1,000 eBTC from nowhere, borrowed maximum WBTC against it on Curvance, bridged the funds, and routed them through Tornado Cash.

A Key Left the Door Open

On-chain data from MonadScan confirms the transaction. The wallet labeled Echo Protocol Exploiter 1 received 1,000 eBTC, valued at $76,750,000 at the time of minting. The transaction cost the attacker less than a cent in gas fees.

The attacker then deposited 45 of those eBTC as collateral on Curvance and borrowed approximately 11.29 WBTC. Those funds moved to Ethereum, were swapped into ETH, and 385 ETH went through Tornado Cash. The full laundering trail is visible on-chain.

Blockchain developer Marioo identified what made all of this possible. The eBTC contract itself worked correctly. The problem was how the admin role was set up: a single-signature key with no timelock, no minting rate limit, and no cap on issuance. Curvance also had no collateral verification check on newly minted eBTC. One compromised key was enough.

Echo’s Official Timeline

Echo Protocol posted its first public acknowledgment at 5:23 AM on May 19, confirming only that a security incident was being investigated and that all cross-chain transactions had been suspended.

Four hours later, Echo published a full incident thread on X. The protocol confirmed unauthorized minting had occurred, that the source was a compromised admin key, and that confirmed losses on Monad stood at approximately $816,000.

“Earlier today, Echo Protocol identified unauthorized activity involving eBTC on Monad that resulted in unauthorized minting and associated fund loss. Our investigation indicates the issue originated from a compromised admin key affecting the Monad deployment.”

Echo said it had regained control of the admin key and burned the 955 eBTC that remained in the attacker’s possession by the time the post went out.

In a follow-up post, Echo stated the incident appeared isolated to Monad. The protocol found no evidence of compromise on its Aptos deployment. aBTC on Aptos and eBTC on Monad are separate assets and are not bridgeable between the two chains. Residual exposure on Aptos was put at approximately $71,000, with no confirmed fund loss on that side.

Bridge Paused Across Both Chains

As a precautionary step, Echo paused the Aptos bridge entirely despite finding no active breach there. The Monad deployment was also upgraded to restrict affected operations and tighten control over sensitive contract functions. Echo Aptos Lending was separately paused for security review.

Echo also confirmed that EVM-series bridge deployments are being upgraded to strengthen cross-chain controls. Users were advised not to interact with any unofficial links, claim pages, refund portals, or recovery forms. Echo said it would never request seed phrases, private keys, or wallet transfers.

A comprehensive review of the affected Monad deployment is underway, covering admin key exposure, contract permissions, cross-chain controls, minting controls, and operational security. External security reviewers are involved.

Monad CEO Keone Hon clarified publicly that the Monad network itself was not impacted and continued operating normally throughout the incident.

“Security researchers in their review have determined that approximately $816,000 appears to have been stolen as a result of this exploit of Echo Protocol’s eBTC,” Hon posted on X.

DeFi users with cross-chain bridge exposure, particularly those using newer protocol deployments on emerging EVM chains, now have a sharper data point on what single-signature admin setups cost when they fail. The gap between a $76.7 million unauthorized mint and $816,000 in actual confirmed losses came down to how fast Echo burned the remaining tokens. That window will not always be available.

Curvance confirmed the Echo eBTC market on its platform had been paused. The protocol said its isolated market structure stopped the issue from spreading to other lending pools, and it found no indication that its own contracts were compromised.

This is the third major DeFi exploit in five days. THORChain suffered a vault breach on May 15 that drained over $10 million. The Verus-Ethereum Bridge was hit on May 18, with losses of roughly $11.58 million. The Echo incident adds $816,000 to May’s running exploit total.