Echo Protocol is investigating a security incident related to its bridge on Monad after on-chain cryptocurrency analysts said an attacker minted 1,000 eBTC and used a portion of the position to mine WBTC liquidity through Curvance.

The first public warning came from on-chain analyst DCF GOD, who wrote that Echo “may be hacked on Monad.” He added: “Someone minted 1k ebtc out of thin air, borrowed Max wbtc for it on Curvance, got bridged, and hurricane away.” A follow-up post pointed to a Monad transaction showing the transfer of 1,000 eBTC on May 18 at 21:21:32 UTC.

$76 Million in Cryptocurrency Triggers Alarm

Lookonchain later mapped the reported sequence in more detail. According to the calculation, the attacker minted 1,000 eBTC, worth approximately $76.64 million, deposited 45 eBTC worth approximately $3.45 million into Curvance, borrowed 11.3 WBTC worth approximately $867,000, plugged the WBTC into Ethereum, exchanged it for 385 ETH worth approximately $821,000, and deposited ETH into Tornado. in cash. Lookonchain said the attacker still held 955 eBTC, worth an estimated $73.2 million.

Phylax Systems founder and CEO Odysseas Lamtzidis said the transaction path points away from the disadvantage of Curvance lending and toward a role management compromise on the eBTC side. “Monad eBTC/Curvance Tracking: Not a Curvance Lending Error,” he wrote. “The eBTC admin granted DEFAULT_ADMIN_ROLE to 0x6A0109, who overruled the admin, self-granted MINTER_ROLE, minted 1,000 eBTC, posted 45 eBTC as collateral, and borrowed approximately 11,296 WBTC.” Lamtzidis said the pattern “seems like a compromise of the admin/role key,” citing the key transactions of admin grant, mintage, and borrowing.

Echo confirmed the incident without publishing a root cause analysis. “We are currently investigating a security incident affecting Monad’s Echo Bridge. All cross-chain transactions remain suspended during the investigation. We will continue to provide timely updates through our official channels as more information becomes available.” This comment makes the bridge the direct operational focus, rather than just the lending market that processes collateral.

Curvance’s exposure appears to have come through the affected Echo eBTC market. Curvance paused this market while the teams investigated, citing Curvance as saying there was no indication its smart contracts were compromised and that its isolated market structure meant other markets were not affected. The Monad network itself was not affected.

“To be clear, the Monad network was not affected and is operating normally,” Monad CEO Keone Hon wrote via

This incident illustrates a familiar pattern of failed transitions to lending. Once pooled or synthetic assets are treated as valid collateral, even a partial funnel can turn a supply-side failure into a real liquidity loss. In this case, eBTC was used to borrow WBTC, transfer it from Monad, convert it to ETH, and route the funds through a mixer before the broader notional position was fully liquidated.

Echo’s next update will need to answer several questions facing the market: whether unauthorized eBTC has been neutralized, whether Curvance faces bad debt from WBTC borrowing, what bridge permissions or contracts are involved, and when cross-chain transactions can safely resume. Until then, the eBTC market on Monad remains the main pressure point for users trying to assess whether the incident has been contained or merely slowed down.

Echo utilization is also falling during a difficult time for cryptocurrency infrastructure. On May 15, THORChain lost more than $10 million across Bitcoin, Ethereum, BNB Chain, and Base, including 36.75 BTC and about $7 million in other assets. Days later, the Verus-Ethereum Bridge was drained for approximately $11.5 million, with reports that the attacker took 103.6 tBTC, 1,625 ETH, and 147,000 USDC before merging the amount to approximately 5,402 ETH. Echo now provides markets with yet another reminder that bridge design, collateral acceptance, and liquidity routing remain one of the most vulnerable DeFi attack surfaces.

[UPDATE from X:] Echo Protocol confirmed: “Earlier today, Echo Protocol identified unauthorized activity involving eBTC on Monad that resulted in unauthorized minting and associated loss of funds. Our investigation indicates that the issue arose from a compromised administrator key impacting Monad deployment. Based on the current findings, approximately $816K has been affected on Monad. The Monad network itself has not been affected and continues to operate normally.”

Since discovering the incident, we have been actively investigating potential exposure across the chain, coordinating with ecosystem partners, and implementing additional precautionary measures. We successfully regained control of our management keys and burned the remaining 955 eBTC that were in the possession of the attacker.

At the time of publication, the total market cap of cryptocurrencies was $2.54 trillion.

Featured image created with DALL.E, a chart from TradingView.com