Protocol regains admin control after the attacker launders part of the stolen crypto assets.
Blockchain investigators linked the exploit to a compromised admin key
Photo Credit: Unsplash/FlyD
Echo Protocol, a decentralised finance (DeFi) protocol deployed on the Monad blockchain, was hacked after an attacker managed to mint around 1,000 unauthorised eBTC on the protocol. Blockchain analytics platform Lookonchain and security firm PeckShield both reported the exploit on Tuesday, observing that the hacker minted these eBTC worth around $76.7 million (roughly Rs. 741 crore). The attacker attempted to launder a part of this loot by depositing 45 eBTC worth around $3.45 million (roughly Rs. 33.3 crore) into DeFi lending and liquidity management protocol, Curvance.
After the initial attack, the attacker borrowed another 11.3 wrapped Bitcoin (eBTC) worth $868,000 (roughly Rs. 8.3 crore) against it, bridged the said tokens to Ethereum, swapped them for ETH, and sent 384 ETH worth about $822,000 (roughly Rs. 7.9 crore) to the Tornado Cash mixing service. However, the team later stated that it had regained control of the admin key and burned 955 eBTC held by the attacker. This latest exploit adds to the growing list of protocols compromised by fraudulent actors, including THORchain, Verus Protocol's Ethereum bridge, Transit Finance, TrustedVolumes, and Ekubo.
In a post on X, blockchain developer “Marioo” reported that it was not a smart contract bug, but an admin key compromise, and the root cause of the exploit was operational and not technical. The company said that the eBTC contract was working as per the design, and added that the vulnerabilities included a single signature for the admin role, no timelock, no minting supply cap or rate limit, and no “supply sanity check” by Curvance for the freshly minted collateral.
Curvance, too, shared a statement on the issue. "At this time, there is no indication of any compromise with Curvance's smart contracts," the platform said on X. "Due to Curvance's fully isolated market architecture, no other markets are impacted. Out of an abundance of caution, the affected market has been paused while our team actively investigates the situation alongside ecosystem partners.”
Meanwhile, Echo Protocol said it would share more updates as the investigation progressed.
This is not the first protocol to deal with an exploit in this week; Verus Protocol's Ethereum bridge was reportedly exploited on Monday when a hacker was able to fraudulently transfer out at least $11.5 million (roughly Rs. 110 crore) in cryptocurrency through a fake cross-chain transfer message. Another protocol exposed due to bad actors was THORchain, when the decentralised liquidity protocol paused all trading operations. The halt came after a blockchain investigator flagged a suspected exploit of more than $10 million (roughly Rs. 96.5 crore) that likely left the protocol exposed across Bitcoin, Ethereum, BNB Chain, and Base.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.