Echo Protocol Hit By $76M EBTC Minting Exploit On Monad

On May 19, 2026, Echo Protocol — a Bitcoin-focused DeFi platform operating on the Monad blockchain — suffered a security breach when an attacker gained control of a compromised administrator private key. Using this access, the attacker minted 1,000 unbacked eBTC (Echo's wrapped Bitcoin token) worth approximately $76.7 million at prevailing Bitcoin prices. While the headline figure was staggering, actual realized losses were limited to approximately $816,000 due to the protocol's rapid response. The attack exploited a critical architectural weakness: Echo Protocol's Monad deployment relied on a single admin key with DEFAULT_ADMIN_ROLE privileges. The attacker used this access to grant themselves MINTER_ROLE permissions, then minted 1,000 eBTC without any backing Bitcoin collateral. Three fundamental security failures enabled the exploit: a single admin key with no backup controls, no timelock delay on privileged operations, and no minting cap on the eBTC contract. This allowed the attacker to mint unlimited tokens in a single transaction. The attacker's laundering path was methodical: they deposited 45 of the unbacked eBTC tokens into Curvance, a lending protocol on Monad, as collateral. Against this fabricated collateral, they borrowed 11.29 WBTC (worth approximately $867,700). The stolen WBTC was then bridged from Monad to Ethereum mainnet, swapped for approximately 384 ETH, and sent through Tornado Cash to obscure the trail. The total realized loss — the actual value extracted from the ecosystem — was approximately $816,000 to $822,000. Echo Protocol responded quickly by regaining control of the compromised admin keys and burning the remaining 955 eBTC that the attacker still held but had not yet liquidated. The team paused all cross-chain functionality for the Monad deployment and completed a contract upgrade to restrict affected operations. Aptos bridge operations were also paused as a precautionary measure, given Echo's multi-chain architecture. This exploit highlights the ongoing access-control risks plaguing DeFi protocols. Projects managing significant TVL should implement multisignature wallets for admin functions, enforce timelocks on privileged operations (giving the community time to react to suspicious transactions), and set sensible minting caps. Users should check whether protocols they deposit into use single-key admin access — this information is often visible in verified contract source code on block explorers. A protocol where one key can mint unlimited tokens is effectively one compromise away from total loss.