Someone minted $77 million in synthetic Bitcoin out of thin air on Sunday night — and the only thing standing between them and a clean getaway was Monad’s wafer-thin liquidity.
Echo Protocol, a Bitcoin-focused DeFi platform deployed on the Monad blockchain, suffered one of the most audacious exploits of 2026 when an attacker compromised a single admin key and conjured 1,000 unauthorised eBTC tokens. The face value: $76.7 million. The actual haul: roughly $816,000. The gap between those two numbers tells the real story of how fragile cross-chain DeFi infrastructure has become.
The Anatomy of a Phantom Mint
At approximately 6:00 PM EST on 18 May, blockchain investigator DCF GOD flagged unusual activity on Echo Protocol’s Monad deployment. An unknown attacker had minted 1,000 eBTC — Echo’s synthetic Bitcoin-backed token — without posting a single unit of collateral.
The attack chain was devastatingly simple. The exploiter gained access to Echo’s administrative private key, which controlled minting permissions. With that single key, they generated the phantom tokens and immediately deposited roughly 45 eBTC (worth approximately $3.45 million) into Curvance, a lending protocol operating on the same network. Against this fabricated collateral, they borrowed 11.3 Wrapped Bitcoin (WBTC) — between $820,000 and $868,000 in real value.
From there, the funds followed a well-worn laundering route: bridged to Ethereum, swapped for ETH, and funnelled through Tornado Cash. PeckShield confirmed 384 ETH (roughly $821,700) passed through the mixer before the trail went cold.
The Single-Key Scandal
What makes this exploit particularly damning is not the sophistication of the attack — it’s the sheer negligence of the security architecture. Blockchain developer Marioo, one of the first to analyse the breach, concluded that Echo Protocol relied on a single-signature administrative structure with no timelock mechanism. No minting caps. No transaction rate limits. No supply validation controls.
In plain terms: one compromised key unlocked the entire treasury. Every synthetic token Echo had ever issued became suspect the moment that key was exposed.
“This wasn’t a smart contract bug,” Marioo wrote on X. “This was an operational failure. The protocol marketed itself as decentralised infrastructure while running on what amounts to a Web2 admin panel.”
Misha Putiatin, co-founder of Symbiotic, echoed that assessment: “DeFi protocols are increasingly vulnerable to ‘Web2.5’ style attacks that target centralised key management and off-chain infrastructure.”
The irony is bitter. DeFi’s entire value proposition rests on removing single points of failure. Echo Protocol had one sitting right at the heart of its minting logic.
Three Hacks in Four Days
Echo’s exploit didn’t arrive in isolation. It was the third major bridge hack in just four days, forming the worst cluster of DeFi security incidents in 2026.
On 15 May, THORChain disclosed a separate exploit draining more than $10 million from protocol-controlled wallets. Three days later, attackers stole $11.58 million from the Verus-Ethereum bridge by manipulating its cross-chain verification process. Then came Echo.
According to PeckShield, hackers have now stolen roughly $328.6 million from eight bridge-related attacks in 2026 alone. The largest remains April’s Kelp DAO catastrophe, where attackers drained nearly $292 million in rsETH from its bridge infrastructure.
Monad’s Liquidity Saved the Day — By Accident
Here’s the darkly comic twist: the attacker minted $77 million in phantom tokens but could only extract $816,000 because Monad’s on-chain liquidity was too thin to absorb the exit. The remaining 955 eBTC — worth approximately $73 million on paper — sat stranded in the exploiter’s wallet, essentially worthless.
Curvance paused the affected eBTC market immediately upon detecting the anomaly, preventing further borrowing against the fabricated collateral. Echo Protocol suspended all cross-chain transactions, recovered the compromised admin keys, and burned the stranded tokens. The team also paused operations on its primary Aptos bridge as a precaution, despite no evidence of compromise on that chain.
Monad co-founder Keone Hon moved quickly to distance his network from the fallout: “The Monad network is not affected and is operating normally. Security researchers have determined that approximately $816,000 appears to have been stolen.”
But the damage to confidence extends well beyond one protocol. Curvance’s failure to validate whether freshly minted collateral was legitimate before issuing loans raises uncomfortable questions about sanity checks across the entire interconnected DeFi stack. If fake tokens can be minted and immediately leveraged, the composability that DeFi celebrates becomes a liability.
What Happens Next
The Echo Protocol exploit is a case study in how DeFi’s weakest links are no longer in the code — they’re in the key management. Protocols that market decentralisation whilst operating with single-signature admin controls are not decentralised. They’re centralised systems wearing a decentralised mask.
The community is demanding change: multi-signature controls, withdrawal delays, minting caps, and automated anomaly detection are now table stakes, not luxuries. Several DeFi protocols have already begun reviewing their own admin key structures in response.
But the pattern is depressingly familiar. Each exploit triggers a wave of soul-searching, followed by promises of improved security, followed by another hack exploiting the same category of vulnerability weeks later.
With $328.6 million stolen from bridges in 2026 and the year not even half over, the question is no longer whether DeFi can survive these attacks. It’s whether the industry will address the systemic rot before regulators do it for them.
This is a developing story. Echo Protocol has stated investigators are continuing to monitor the exploit whilst preparing additional updates through official channels.
