Echo Protocol Pauses Bridge After $76.7M Fake eBTC Mint on Monad

Echo Protocol has paused bridge activity after an attacker minted roughly 1,000 unauthorized eBTC on its Monad deployment, creating about $76.7 million in fake synthetic Bitcoin exposure while extracting only a fraction of that value so far.

• About 1,000 unauthorized eBTC were minted
• Roughly $76.7 million in synthetic Bitcoin exposure was created
• The likely cause is a compromised admin private key, not a Monad or Curvance core breach
• About $816,000 to $868,000 appears to have been extracted so far
• Cross-chain transactions have been suspended during the investigation

The exploit hit Echo Protocol, a Bitcoin-focused DeFi platform, on its Monad deployment and quickly turned into a familiar kind of crypto mess: not a chain-level failure, but a control-plane failure. That distinction matters. Monad itself was said to be operating normally, and Curvance’s lending contracts were not blamed either. The weak link appears to have been Echo’s administrative security, where one compromised key was enough to mint counterfeit collateral and start the whole chain reaction.

Here’s the basic flow. The attacker minted fake eBTC, a token designed to represent Bitcoin exposure inside DeFi. Then they used part of that fake collateral to borrow real assets, bridged those funds to Ethereum, swapped them into ETH, and sent some through Tornado Cash to obscure the trail. It’s the sort of operation that exposes a hard truth about DeFi: the code may be elegant, but if the keys are sloppy and the controls are weak, the whole setup can collapse into expensive theater.

Security researchers say the attacker minted around 1,000 unauthorized eBTC tokens, equal to about $76.7 million in nominal value. Of that, 45 eBTC was deposited into Curvance as collateral, allowing the attacker to borrow roughly 11.29 WBTC, worth close to $868,000 at the time. WBTC, or wrapped Bitcoin, is Bitcoin represented on another chain so it can be used in smart contracts and lending markets. That borrowed WBTC was then bridged to Ethereum, swapped for ETH, and partially routed into Tornado Cash.

PeckShield estimated that about 384 ETH, worth roughly $822,000, had already been transferred to the mixer. Onchain Lens, Lookonchain, and DeBank data helped track the movement of funds and the attacker’s remaining balance. The striking part is that most of the unauthorized eBTC still appears to be sitting there. Lookonchain and DeBank suggested the attacker still holds around 955 eBTC, worth more than $73 million. So while the mint itself was huge, the extracted value looks far smaller — around $816,000 to $868,000 so far.

That gap between nominal mint and actual realized loss is important. Printing fake collateral is one thing. Turning it into usable money without crashing liquidity, tripping alarms, or getting stuck with a pile of toxic tokens is another. The attacker appears to have managed the first part. The second part is where the wheels start wobbling.

Echo Protocol described the incident as a “security incident impacting the Echo bridge on Monad” and suspended cross-chain transactions while the investigation continues. Curvance also acted defensively, saying “the affected Echo eBTC market had been paused as a precaution”. Those are sensible moves, but they also underline a less glamorous truth: bridge security and collateral verification are not side quests. They are the whole game.

Blockchain developer Marioo said the issue stemmed from “an admin private key compromise rather than a smart contract failure.” He also said the eBTC contract had “operated as intended”. That means the contract likely did exactly what it was programmed to do when given the right permissions. The problem was that someone got those permissions. In plain English: the protocol didn’t get “hacked” in the Hollywood sense. The people running it appear to have left the keys where a thief could grab them.

Nick Sawinyh, founder of DefiPrime, framed the lesson bluntly:

“For anyone using newly-launched lending markets on newly-launched chains, the practical takeaway is narrow: before you supply real assets, look at what the borrowable collateral actually is, who can mint it, and whether anything stops them from minting more. If your lender can’t tell you which keys can produce that collateral, neither can you,”

That’s not just a warning for Echo users. It’s a warning for anyone poking around in new DeFi markets that look sleek on the surface but are quietly held together by a thin layer of trust, a couple of admin keys, and some optimistic assumptions. If a protocol can mint collateral without strong safeguards like timelocks, mint caps, issuance rate limits, or multi-step verification, then “decentralized finance” starts looking suspiciously like “please trust our hot wallet and our vibes.”

Monad co-founder Keone Hon tried to calm the market by stating that “the blockchain itself continued operating normally and had not been breached.” That distinction matters because people love to blame the chain whenever something goes wrong. But base-layer security and application-layer security are not the same thing. A blockchain can be perfectly healthy while a protocol built on top of it gets kneecapped by bad access control. The chain didn’t fail here; the operational setup did.

For newer readers, it helps to separate a few concepts. A bridge is a system that moves value or representations of value between blockchains. eBTC is Echo’s synthetic or Bitcoin-linked asset used in DeFi markets to create Bitcoin exposure on-chain. WBTC is wrapped Bitcoin, a tokenized version of BTC that can be used in smart contracts. These tools are useful because they let Bitcoin interact with lending, trading, and yield systems that native BTC alone does not handle very well. But they also come with sharp edges. If minting controls or collateral checks are weak, the entire structure becomes fragile fast.

Tornado Cash adds another layer of ugliness. It’s a crypto mixing service used to obscure transaction trails, and it has become a favorite route for attackers trying to hide stolen funds. When exploits move through mixers, investigators have to work harder, victims have a harder time tracing value, and the whole ecosystem takes another reputational hit. Crypto doesn’t just have a technology problem here. It has a laundering problem too.

This incident also lands in a year already packed with DeFi security failures. Among the other incidents cited were the Verus Protocol Ethereum bridge exploit at about $11.6 million, Drift Protocol’s roughly $285 million exploit, Kelp DAO’s attack at around $292 million, a suspected THORChain exploit near $10 million, and a Transit Finance deprecated contract exploit worth about $1.88 million. That is a brutal list. It points to the same recurring issue: in DeFi, losses often come not from the grand, dramatic failure of a blockchain, but from weak keys, sloppy administration, brittle trust models, and protocols that are one bad decision away from becoming a very expensive lesson.

The fact that most of the fake eBTC remains unsold cuts both ways. On one hand, the attacker has not been able to fully monetize the mint. On the other hand, the position is still hanging over the market like a loaded gun. Dump too much of it, and liquidity dries up. Try to cash out too aggressively, and scrutiny spikes. Hold it too long, and the whole thing becomes a giant trapped bag of counterfeit exposure.

That leaves the bigger question: what does this mean for Bitcoin-focused DeFi? The uncomfortable answer is that these systems can be useful, even necessary, for unlocking liquidity and making BTC more productive on-chain. Bitcoin is excellent at being Bitcoin, but not everything else. Wrapped or synthetic BTC can fill niches that native BTC doesn’t serve well. The problem is not the concept. The problem is the trust perimeter. If you’re going to build synthetic Bitcoin markets on new chains, you need serious controls around minting, access, and collateral. Otherwise you’re not building finance. You’re building a beautifully branded trapdoor.

Echo’s pause on bridge activity, Curvance’s market freeze, and the ongoing investigation are all reasonable responses. The broader fix is less flashy but far more important: tighter key management, better custody practices, stricter mint permissions, timelocks, rate limits, and collateral verification that actually means something. DeFi can move fast and still be secure. It just can’t keep pretending that “trust us” is a substitute for real controls. That’s how you end up with a $76.7 million mint and a little less than a million dollars actually stolen — which is a weirdly specific reminder that crypto criminals, like everyone else, can be surprisingly bad at operational execution.

• What happened to Echo Protocol?
  An attacker minted about 1,000 unauthorized eBTC tokens on Echo’s Monad deployment and used part of them to borrow real assets.
• Was Monad hacked?
  No. Monad’s co-founder said the blockchain itself was not breached, and the evidence points to a protocol-level access compromise.
• Was Curvance hacked?
  Curvance said its core smart contracts were not compromised. The affected Echo eBTC market was paused as a precaution.
• How much value was created in the exploit?
  About $76.7 million in unauthorized eBTC was minted.
• How much was actually extracted?
  Roughly $816,000 to $868,000 appears to have been realized so far.
• What caused the exploit?
  The leading theory is a compromised admin private key, not a flaw in Monad or Curvance’s core contracts.
• Why didn’t the attacker cash out everything?
  Most of the fake eBTC still appears to be unsold, likely because fully exiting such a large position is difficult and risky.
• What does this mean for DeFi users?
  It’s a reminder to check who can mint collateral, what controls exist, and whether a market is actually secure or just dressed up to look that way.