Echo Protocol loses $77 million after admin‑key breach on Monad blockchain

Lead

Echo Protocol, a bitcoin‑focused defi liquidity and yield platform, disclosed that an attacker compromised an admin key on its Monad deployment, minted 1,000 eBTC worth about $77 million and moved $816,000 through the Tornado Cash mixer, prompting an immediate pause of cross‑chain functionality and a contract upgrade.

Background

Echo Protocol issues wrapped Bitcoin tokens on two separate blockchains: eBTC on Monad and aBTC on Aptos. The tokens are intended to bring Bitcoin liquidity to DeFi applications on those chains without requiring a native bridge between them. Admin keys control minting and other privileged functions for each deployment, and a breach of such a key can enable unauthorized token creation. Similar admin‑key attacks have affected other cross‑chain projects in recent months, highlighting the growing operational risk of off‑chain components in DeFi.

What Happened

According to a security analysis by PeckShield and on‑chain sleuth dcfgod, the attacker used a compromised admin key to mint 1,000 eBTC, valued at $76.7 million. The flow continued as follows:

The attacker deposited 45 eBTC (approximately $3.45 million) into the Curvance contract.
Using the deposited eBTC as collateral, the attacker borrowed about 11.29 WBTC, worth $867,700.
The borrowed WBTC was bridged to ethereum, swapped for ETH, and 384 ETH (roughly $821,700) was sent to the Tornado Cash mixer.

Echo Protocol confirmed the breach in a Tuesday tweet, stating that the issue originated from a compromised admin key affecting only the Monad deployment. The team regained control of its admin keys, burned the remaining 955 eBTC in the attacker’s possession, and reported that the Monad network itself remained operational.

Echo also clarified that the incident appears isolated to Monad. No compromise was found on Aptos, where the aBTC token resides. Exposure on Aptos is limited to about $71,000 across Echo’s lending markets and Hyperion liquidity pools, and no loss has been confirmed on that chain.

In response, Echo paused cross‑chain functionality for Monad, upgraded the affected Monad contracts to restrict sensitive operations, and fully paused the Aptos bridge as a precaution. Echo’s Aptos lending services have been suspended, and the team is upgrading its EVM‑series bridge deployments to further tighten cross‑chain controls.

Market & Industry Implications

The exploit adds to a series of high‑profile DeFi breaches, including recent attacks on THORChain, TrustedVolumes and a $293 million infrastructure‑linked hack of KelpDAO attributed to North Korea’s Lazarus Group. The recurring admin‑key pattern underscores the vulnerability of DeFi protocols that rely on centralized off‑chain components for key management.

Misha Putiatin, co‑founder of Symbiotic and smart‑contract security firm Statemind, warned that as DeFi protocols lean more on off‑chain infrastructure, “Web2.5” style attacks targeting centralized key management and operational databases are likely to increase. He described the current risk environment as a “balancing act” where systems with more involved management become more susceptible to social engineering and infrastructure attacks compared with fully permissionless designs.

Echo’s swift containment actions—regaining admin control, burning the illicit tokens and pausing cross‑chain bridges—demonstrate an emerging operational playbook for DeFi projects facing similar threats. The incident may accelerate industry‑wide adoption of stricter key‑management practices and broader security audits of off‑chain components, mirroring the post‑2021 shift toward mandatory smart‑contract audits.

What to Watch

Further updates from Echo Protocol on the comprehensive review of the Monad deployment and any residual risk to users.
Implementation details of the upgraded Monad contracts and EVM‑series bridges, including any new multi‑sig or time‑locked controls.
Regulatory or industry‑wide guidance on off‑chain key management for cross‑chain DeFi protocols.
Potential impact on the liquidity of eBTC and aBTC markets, especially if users withdraw from Echo’s lending pools.
Follow‑on investigations by blockchain security firms into whether other protocols share similar admin‑key vulnerabilities.

Name	Provider	Purpose	Expiry
Essential
cowlpane-consent	Cowlpane	Stores your cookie preferences	1 year
cowlpane-theme	Cowlpane	Remembers dark/light theme	Persistent
__cfruid	Cloudflare	DDoS protection & security	Session
Advertising (consent required)
IDE	Google	Ad targeting & frequency capping	13 months
_gads	Google	Connects browser to ad preferences	2 years
ANID	Google	Ad personalisation	13 months
Affiliate tracking (consent required)
session-id	Amazon	Affiliate purchase attribution	Session
ubid-main	Amazon	Browser ID for affiliate tracking	10 years

Lead

Background

What Happened

Market & Industry Implications

What to Watch

Read Next

GitHub Leak Exposes 3,800 Repos — Threat to DevOps Secrets and Crypto Projects

ZEC Breaks Key Resistance — Upside Potential for Holders and On‑Chain Activity

OpenAI IPO Filing Set for Friday — Crypto Liquidity May Tighten Sharply