Reading Time: 2 minutesKey Takeaways:
The breach was caused by a stolen private key, not a smart contract bug. The contract worked exactly as coded.
Hacker granted themselves minting rights and created 1,000 unbacked eBTC, valued at roughly $76.7 million.
The attacker used 45 fake eBTC as collateral on Curvance to borrow and clean around $821,000 via Tornado Cash.
Echo Protocol on the Monad network has suffered a major security breach today, After an admin private key was compromised. The attacker unauthorizedly minted 1,000 eBTC (worth about $76.7 million), leaving the protocol with millions in unbacked tokens and creating bad debt for the Curvance lending platform.
Echo Protocol (@EchoProtocol_) exploited on @monad
NOT a smart contract bug — admin private key compromise.
Attacker minted 1,000 eBTC out of thin air → used as Curvance collateral → borrowed WBTC → bridged out.
Full attack chain w/ tx hashes ↓
1/ The key handover…
— Marioo (@MarioY00) May 18, 2026
Operational Failure Over Coding Errors
Echo Protocol became the victim of a high profile DeFi exploit, losing control of administrative functions. Blockchain security trackers confirmed that the attack wasn’t caused by a smart contract vulnerability. Instead, the hacker managed to compromise a single Externally Owned Account (EOA) belonging to an old administrator. Using this stolen key, the attacker assigned themselves the highest administrative and minting roles, immediately revoking the original owner. With full control, the hacker minted 1,000 unbacked eBTC, which is worth about $76.7 million, in a process that required only a few cents in gas fees.
Echo Protocol on the Monad network has suffered a major security breach
Read Next: Thorchain Pauses All Trading After $10.8 Million Multichain Exploit
Laundering via Curvance and Tornado Cash
Once the unbacked tokens were created, the hacker moved quickly to turn the synthetic assets into real capital. They deposited 45 of the fake eBTC as collateral into Curvance, a popular lending protocol operating on the Monad network. Because Curvance lacked a strict supply checking mechanism for new collateral, the system accepted the deposit, allowing the hacker to borrow 11.29 real Wrapped Bitcoin (WBTC). The attacker then bridged these assets to Ethereum, swapped them for ETH, and funneled approximately 385 ETH (around $821,000) into the privacy mixer Tornado Cash to clean the funds.
The Fallout and Current Status
The vast majority of the stolen assets, 955 eBTC remain sitting dormant in the hacker’s wallet. However, because these tokens have no real Bitcoin backing them, the 45 eBTC used on Curvance has created a bad debt crisis for the lending platform’s liquidity providers. Curvance has paused its eBTC markets to contain the damage. Monad co-founder Keone Hon quickly clarified that the underlying blockchain network remains completely safe, as the issue occurred strictly at the application layer.
Read Next: Arbitrum Freezes $71 Million in Stolen ETH After KelpDAO Exploit