Echo Protocol, a DeFi protocol that operates on the Monad blockchain, was breached when an unauthorized user created around 1,000 eBTC. Reports surfaced on Tuesday from analytics and blockchain security firm PeckShield and Lookonchain, stating that the hacker had minted 1,000 eBTC, valued at around $76.7 million.
There has been a string of twelve protocols compromised in the last month; they include THORChain, Ekubo, TrustedVolumes, Transit Finance, and the Verus Protocol’s Ethereum bridge. This most current vulnerability is the most recent in the sequence.
According to PeckShield, the criminal attempted to hide some of the stolen money by injecting 45 eBTC, or about $3.45 million, into the DeFi lending and liquidity management protocol Curvance.
The perpetrator then submitted 384 Ethereum, with a value of about $822,000, to the Tornado Cash mixing service after borrowing 11.3 wrapped Bitcoin (wBTC) tokens, which were worth $868,000, bridging the tokens to Ethereum, and exchanging them for Ethereum. The hacker allegedly still has 955 eBTC, or over $73 million, according to DeBank.
Compromised Admin Key Likely Reason
Echo Protocol is a Bitcoin DeFi platform that offers a lot of activities, one of which is the ability to generate revenue, stake liquids, restake them, and pool Bitcoin liquidity. It creates unified, liquid Bitcoin assets, such as eBTC, for users to sell and utilize in DeFi to make more money. The protocol is built on top of the Monad blockchain, which is EVM compatible and has high layer-1 speed.
According to ‘Marioo,’ a blockchain developer, the breach occurred due to an admin private key rather than a smart contract error. The issue stemmed from “operational, not technical” factors.
The eBTC contract operated exactly as designed, they said. But they did point out additional issues, such as the admin role only needing a single signature, no timelock, an inaccurate minting supply limitation or rate restriction, and an insufficient “supply sanity check” by Curvance for the freshly generated collateral.