Echo Protocol Suffers $76.6M eBTC Minting Attack on Monad

Admin Key Compromise Leads to Massive eBTC Forgery

On May 19, 2026, the Echo Protocol experienced a critical security breach when an attacker gained control of the administrator privileges for its eBTC token contract on the Monad mainnet. The attacker first assigned the DEFAULT_ADMIN_ROLE to their own wallet, effectively obtaining the master key to the contract. Subsequently, they granted themselves the MINTER_ROLE, enabling them to call the mint() function without any collateral.

This exploit led to the creation of 1,000 unbacked eBTC tokens, which at the time held a market value of around $76.6 million. After minting the tokens, the attacker revoked their own administrative permissions, a move suggesting a calculated effort to obscure on-chain forensics. The eBTC is designed as a wrapped token, intended to be 1:1 collateralized by Bitcoin, allowing holders to engage with Monad’s native DeFi ecosystem.

Monad’s Liquidity Gap Limits Real-World Damage

Despite the substantial nominal loss, the attacker was unable to convert the majority of the forged eBTC into tangible assets due to the nascent Monad DeFi ecosystem’s limited liquidity. The attacker deposited 45 eBTC, valued at roughly $3.5 million, into Curvance, a lending platform on Monad. This allowed them to borrow 11.29 Wrapped Bitcoin (WBTC), worth approximately $867,700, from the chain’s largest Bitcoin lending market.

The borrowed WBTC was then bridged to the Ethereum mainnet, converted into 384 ETH, and subsequently sent to Tornado Cash to conceal the funds. The remaining 955 eBTC in the attacker’s wallet became isolated on Monad, preventing further withdrawals before the Echo team could respond. Echo Protocol’s official report confirms the actual realized loss at $816,000.

Broader Implications for Bitcoin DeFi and New Chains

This incident marks the 14th major cryptocurrency hack in May 2026, highlighting two critical trends. First, Bitcoin DeFi platforms are increasingly migrating to faster execution chains. Second, administrator key compromises are emerging as a greater security risk than inherent smart contract vulnerabilities, accounting for over 70% of major crypto incidents in 2026.

The Echo Protocol attack serves as Monad’s first significant security breach. While not a flaw in the chain itself, it exposes the immaturity of new DeFi infrastructures. Had this occurred on the Ethereum mainnet with 1,000 unbacked WBTC, the attacker could have withdrawn tens of millions of dollars. Monad’s limited liquidity, with its largest BTC-based pool at only 11 WBTC, inadvertently mitigated a nine-figure loss.

Other Bitcoin DeFi projects like HEMI, Bitlight, and Babylon, which use similar wrapped token structures, face comparable risks. They share a structural vulnerability where the bridge or minting contract exists on a new chain, and administrator privileges represent a single point of failure.

Securing the Future of Wrapped Bitcoin Tokens

The Echo Protocol team responded swiftly, recovering administrative control, burning the 955 remaining eBTC, and temporarily suspending cross-chain functionality to prevent further unauthorized token transfers. They have since upgraded the contract to strengthen role management and introduced rate-limiting for eBTC minting. A full forensic report is anticipated, and the team is collaborating with security firms to trace the funds moved to Tornado Cash.

For users holding wrapped Bitcoin on new chains, verifying the administrator structure is paramount. Understanding whether minting functions are controlled by a single key, a weak multisig, or a fully programmatic, permissionless system is crucial. The Echo attack underscores that a truly resilient structure requires a fully programmatic, role-less minting process, eliminating single points of failure.