A cybercriminal launched an attack on the Echo Protocol in the Monad network, resulting in the perpetrator artificially creating 1000 eBTC worth approximately $76.7 million. This event caused the value of the ECHO token to drop by more than 11%, to $0.0049.
This is reported by Finway
Details of the Attack and Vulnerabilities Exploited
The attacker exploited a vulnerability in the signature validation mechanism of the Echo Protocol bridge contract. Under normal conditions, an M-number of signatures from N validators is required to initiate the issuance of eBTC; however, in this case, the contract did not check whether the signer was actually part of the committee and whether the message hash was correct. Instead of genuine signatures, fake ones were used, allowing the hacker to bypass the protection and invoke the _mint() function. Due to the absence of MAX_SUPPLY restrictions and rate limits, the contract confirmed the issuance of 1000 eBTC.
Analysts note that similar attacks have been recorded before — specifically, a similar hack occurred in 2022 with the Wormhole bridge, as well as in the case of the Verus protocol.
“The Echo Protocol project in the Monad network was hacked, resulting in the issuance of 1000 eBTC totaling $76.7 million, according to PeckShield Alert.”
The hacker used the obtained eBTC as collateral on the Curvance platform: they deposited 45 eBTC (about $3.45 million), after which they received a loan of 11.29 WBTC (approximately $867,700). The assets were then converted to Ethereum and exchanged for ETH. Part of the funds (384 ETH, about $821,700) was sent to the Tornado Cash mixer for further laundering.
Consequences of the Attack and Market Reaction
Analyst Humphrey emphasized that the incident could have been prevented or its consequences mitigated if the contract had imposed restrictions on simultaneous issuance and withdrawal of assets. Monad co-founder Keon Hong stressed that the Monad network itself was not harmed, and the Curvance platform suspended the eBTC market to prevent further fraudulent activities.
The Echo Protocol team officially confirmed the hack and suspended cross-chain transactions to investigate the incident. However, according to Lookonchain, the attacker still controls 955 eBTC worth over $73 million.
The ECHO token price, according to TradingView, has dropped by more than 11% — it is currently trading at $0.0049.
