Echo Protocol Regains Control After Admin Key Exploit

Echo Protocol has regained control of its compromised admin key and burned the 955 $eBTC that remained in the attacker's wallet, the team confirmed on May 19. The move marks a partial resolution to one of the more disruptive DeFi security incidents of the month.

How the Exploit Unfolded

The attack centred on Echo Protocol's $eBTC system on the Monad blockchain. An attacker minted about 1,000 unauthorized $eBTC on the protocol, worth around $76.7 million at the time, as reported by blockchain security firm PeckShield and analytics platform Lookonchain. The headline figure, however, reflects the notional value of the mint rather than confirmed outflows. The widely cited $76.7 million figure reflected the temporary value of the unauthorized $eBTC mint, not confirmed stolen funds.

According to PeckShield, the attacker deposited 45 $eBTC worth around $3.45 million into DeFi lending protocol Curvance, borrowed 11.3 wrapped Bitcoin (WBTC) worth $868,000 against it, bridged the tokens to Ethereum, swapped them for ETH, and sent 384 ETH worth about $822,000 to the Tornado Cash mixing service.

Blockchain developer "Marioo" reported that the root cause was not a smart contract bug but an admin private key compromise, describing it as "operational, not technical." The $eBTC contract "worked exactly as designed," with vulnerabilities including a single signature for the admin role, no timelock, no minting supply cap or rate limit, and no supply sanity check by Curvance for the freshly minted collateral.

Damage Limited, Bridge Remains Paused

Echo Protocol's official statement puts total losses at approximately $816,000, limited to the Monad deployment. Monad co-founder Keone Hon clarified that the Monad network is not affected and is operating normally. Aptos exposure is estimated at around $71,000, with no evidence of a direct compromise on that chain.

Curvance said it became aware of an anomaly in the Echo $eBTC market at approximately 6:00 PM EST, confirmed there was no compromise with its own smart contracts, and paused the affected market out of caution while investigating alongside ecosystem partners. Monad bridge functions remain paused pending the completion of that review.

Users are warned to avoid fake refund and recovery links circulating online. The incident is the 14th crypto exploit recorded in May alone, coming just days after THORChain confirmed a vault breach on May 15 that drained more than $10 million, and a separate exploit of the Verus-Ethereum Bridge in which attackers drained roughly $11.58 million in digital assets.

Sources
CoinTelegraph: Echo Protocol Hacked for $76.7M in Admin Key Exploit
Crypto Times: Echo Exploit Hacker Moves $821K Through Tornado After eBTC Mint
BeInCrypto: Echo Protocol Hack Lifts May's Crypto Exploit Total to 14