Echo Protocol Hit By $76M EBTC Minting Exploit On Monad

On May 19, 2026, Echo Protocol — a Bitcoin-focused DeFi platform operating on the Monad blockchain — suffered a significant exploit when an attacker compromised a single administrative private key. Using this key, the attacker assigned themselves the DEFAULT_ADMIN_ROLE on Echo's eBTC smart contract, then granted their own wallet the MINTER_ROLE and revoked the original admin's access. With minting authority established, the attacker created 1,000 eBTC tokens — Echo's bitcoin liquidity token on Monad — representing a notional value of approximately $76.7 million, all for negligible gas fees. The attacker moved quickly to extract real value from the unauthorized tokens. They deposited 45 eBTC (worth approximately $3.45 million at the time) into Curvance, a lending protocol on Monad, using it as collateral to borrow 11.29 WBTC (~$867,700). The borrowed WBTC was then bridged to Ethereum, swapped for approximately 385 ETH, and deposited into Tornado Cash to launder the proceeds. Security researchers estimated the total realized loss at approximately $816,000 — significantly less than the $76.7 million notional value of the minted tokens, as the attacker was unable to liquidate the bulk of the fraudulent eBTC before the team responded. Echo Protocol's response was relatively swift. The team regained control of the compromised administrative keys and immediately burned the attacker's remaining 955 eBTC, eliminating the outstanding fraudulent supply. Cross-chain functionality for the Monad deployment was paused, and the team completed an upgrade of the relevant Monad contracts to restrict affected operations and strengthen control over sensitive functions. Curvance acknowledged the incident and paused the affected Echo eBTC market as a precaution, noting that its isolated market structure prevented the issue from spreading to other lending pools. Curvance confirmed its own smart contracts were not compromised. The incident exposed critical security weaknesses in Echo Protocol's access control architecture. The use of a single-signature admin role with no timelock mechanism, no multi-signature requirement, and no minting cap or rate limiter allowed the attacker to escalate privileges and mint unlimited tokens in a single transaction sequence. The absence of collateral sanity checks on Curvance for newly minted eBTC also contributed to the attacker's ability to extract real value. Monad's core consensus layer was unaffected — the exploit was purely at the application level. This exploit highlights the ongoing risks of centralized admin keys in DeFi protocols, even on newer blockchain platforms like Monad. Users should verify that protocols they interact with employ multi-signature governance, timelocks on privileged operations, and minting caps on synthetic assets. Checking whether admin roles can be unilaterally reassigned is a critical due diligence step before depositing funds into any DeFi protocol.