A significant security breach has emerged in the Bitcoin DeFi segment, drawing fresh scrutiny to administrative safeguards in emerging blockchain deployments. The Echo Protocol, a BTCFi project running on the Monad network, encountered unauthorized token generation involving roughly 1,000 eBTC — a synthetic Bitcoin asset intended to facilitate liquidity and collateral use cases.
At Bitcoin’s prevailing price near $77,000, the fabricated supply carried a notional exposure of approximately $76–77 million. On-chain forensics traced the root cause to a compromised administrator private key.
The malicious actor assumed elevated privileges, revoked existing controls, and triggered uncollateralized minting of the tokens absent any underlying Bitcoin backing.
This vector commonly affects protocols relying on centralized administrative keys instead of distributed multi-signature setups, timelocks, or issuance caps.
The exploiter followed a structured extraction path.
Around 45 eBTC (valued near $3.45 million) was deposited as collateral into the Curvance lending market.
gm @EchoProtocol_ may be hacked on @monad
Someone minted 1k ebtc out of nowhere, max borrowed wbtc against it on @Curvance, bridged, and tornado away
— DCF GOD (@dcfgod) May 18, 2026
This move unlocked a borrow of about 11.29 WBTC, worth roughly $867,000.
The position was then bridged to Ethereum, swapped for ETH, and approximately 384–385 ETH (equivalent to $816,000–$822,000) was routed via Tornado Cash to obscure traceability.
Shallow liquidity on the relatively new Monad chain constrained the attacker’s ability to liquidate the full notional amount.
Echo Protocol’s responders rapidly reasserted control over the contract, burned the bulk of the illicit tokens (leaving the perpetrator with roughly 955 eBTC), and placed all cross-chain bridge operations on hold pending deeper investigation.
Curvance isolated exposure by pausing the impacted eBTC market, confirming its compartmentalized architecture preserved the integrity of unrelated segments.
Monad co-founder Keone Hon addressed the community directly, affirming the Layer-1 blockchain continued normal operations without compromise.
The incident remained confined to Echo’s application-level deployment. Security specialists, including PeckShield, delivered live transaction monitoring and corroborated these details.
This development elevates May 2026’s notable DeFi incidents to 14, arriving in quick succession after bridge-related events involving THORChain and Verus-Ethereum.
It spotlights enduring priorities for the ecosystem: fortified key custody practices, progressive decentralization of governance, routine penetration testing, and restrained parameters for privileged actions such as token creation.
As institutional appetite for Bitcoin-native DeFi expands, these episodes reinforce the imperative to align product velocity with hardened operational resilience.
Echo Protocol indicated it would release periodic updates through authenticated channels.
Stakeholders should refrain from engaging paused functionalities and depend exclusively on verified communications. Although decisive containment curtailed realized losses, the occurrence amplifies sector-wide advocacy for superior standards in privilege management and smart contract fortification, particularly for mechanisms tied to substantial Bitcoin liquidity flows.