How did an attacker mint 1,000 unauthorised eBTC on Echo Protocol?

Bitcoin-focused DeFi platform Echo Protocol has suffered an exploit after an attacker minted roughly 1,000 unauthorised eBTC tokens on the protocol’s Monad deployment.

According to blockchain security firm PeckShield and on-chain analytics platform Lookonchain, the attacker created around US$76.7 million (approx. $134.2 million) worth of synthetic Bitcoin tokens before attempting to extract value through decentralised lending markets.

Echo Protocol later confirmed that it was investigating “a security incident impacting the Echo bridge on Monad,” while also stating that all cross-chain transactions had been suspended during the investigation.

Monad co-founder Keone Hon has clarified on X that the Monad network itself was operating normally and had not been compromised.

Security researchers and blockchain developers later narrowed the incident down to what developer “Marioo” described as an operational failure tied to compromised admin credentials rather than a flaw in the smart contract code itself. 

According to the developer, the eBTC contract functioned as intended, but weak access control measures allowed the attacker to take over administrative permissions.

How the exploit unfolded

On-chain investigators said the attacker first assigned themselves the DEFAULT_ADMIN_ROLE on Echo’s eBTC contract before granting their wallet the MINTER_ROLE, which enabled the creation of new tokens without backing. 

After securing minting privileges, the attacker reportedly removed their own admin permissions to avoid retaining a visible administrative role on-chain.

With those controls in place, the exploiter minted 1,000 eBTC tokens worth approximately US$77 million (approx. $134.8 million) on paper. 

Limited liquidity across the Monad ecosystem, however, prevented the attacker from converting most of the assets directly through decentralised exchanges.

Instead, data shared by Onchain Lens and Lookonchain showed the attacker deposited 45 eBTC, valued at roughly US$3.5 million (approx. $6 million), into DeFi lending protocol Curvance as collateral. 

Against those deposits, the attacker borrowed approximately 11.29 wrapped Bitcoin (WBTC) worth about $867,700.

After bridging the borrowed WBTC to Ethereum, the exploiter swapped the assets into ETH and transferred roughly 384 to 385 ETH into crypto mixer Tornado Cash, according to multiple on-chain tracking accounts.

Lookonchain and DeBank data indicated that the attacker still controls 955 eBTC worth around US$73 million (approx. $127.8 million), though DefiPrime founder Nick Sawinyh said in a post that the remaining tokens were effectively unusable because Monad’s DeFi liquidity depth could not absorb the fake supply.

Marioo also pointed to several security weaknesses that amplified the attack’s impact, including the use of a single-signature admin role, the absence of a timelock mechanism, no minting cap or rate limiter, and a lack of collateral sanity checks on Curvance for newly minted eBTC.

Protocols move to contain damage

As the exploit unfolded, Curvance said it detected an “anomaly” in the Echo eBTC market and paused the affected lending market while investigations continued. 

The protocol stated there was no indication that its own smart contracts had been breached, adding that its isolated market architecture prevented spillover into other lending pools.

According to Hon, security researchers estimated realised losses at roughly $816,000, substantially below the paper value of the unauthorised mint because most of the fake eBTC supply could not be liquidated.

Echo Protocol, which focuses on Bitcoin liquidity aggregation, liquid staking, restaking, and yield generation across multiple chains, has yet to disclose how the admin credentials were compromised. 

The protocol said further updates would be shared through official channels as the investigation progresses.

The incident has added to a growing list of DeFi exploits recorded since the start of the year.

As previously reported by Invezz, KelpDAO bridge infrastructure was compromised in an advanced RPC poisoning and distributed denial-of-service (DDoS) attack that resulted in a massive US$292 million (approx. $511 million) exploit.