An attacker compromised the admin private key on Echo Protocol's Monad deployment on May 19, minted 1,000 eBTC tokens worth roughly $76.7 million at face value, and walked away with about $816,000. The gap between those two numbers is the story.
The attacker used the minted tokens as collateral on Curvance, the lending protocol running on Monad, depositing 45 eBTC and borrowing approximately 11.29 WBTC worth around $868,000. That WBTC was bridged to Ethereum, swapped for ETH, and 385 ETH — worth about $818,000 — went into Tornado Cash. The remaining 955 eBTC held by the attacker were never liquidated: Echo regained admin key control and burned them, leaving roughly $76M in synthetic tokens destroyed rather than converted.
PeckShield and Lookonchain both flagged the unauthorized mint on X as it happened. Echo Protocol confirmed the exploit in its own May 19 thread, stating directly that Monad itself was not compromised — the vulnerability was in Echo's own eBTC contract deployment on the chain.
What the attacker actually exploited
This was not a smart contract bug. The eBTC contract worked exactly as coded. A single private key held unrestricted minting authority over the contract, with no multisig requirement and no timelock. Whoever held that key could mint any quantity of eBTC at will. Once the key was compromised — how, Echo has not yet disclosed — the rest was mechanical: mint tokens, use them as collateral, borrow real assets, bridge out, mix.
The structural failure is the design, not the execution. A minting key with no guardrails on a live DeFi deployment is not a bridge — it is a loaded gun left in an unlocked room.
Curvance detected anomalies around 10:00 p.m. UTC on May 18 and paused the Echo eBTC market on May 19. Echo suspended cross-chain transactions and said a security review is underway.
The face-value fiction
Headlines describing this as a "$76M hack" are not inaccurate in one narrow sense: 1,000 eBTC were minted without authorization at a price that implied $76.7M in value. But the attacker could only extract value equal to what Curvance would lend against that collateral at the loan-to-value ratios the market allowed. The rest was paper — synthetic tokens with no liquid exit at scale. When Echo burned the 955 remaining eBTC, it erased the face value without affecting real losses.
The distinction matters for how the industry counts incidents. A minting exploit on an illiquid synthetic asset has a different risk profile than a direct drain. The actual stolen figure — $816,000, per Echo's own post-incident statement — is the number that measures damage to counterparties. The $76.7M figure measures the theoretical maximum extraction if liquidity had existed and the team had not responded. Both are worth reporting; they should not be conflated.
A category question for new L1s
Monad launched its mainnet in early 2025. Berachain, Sonic, and several other new L1s have drawn DeFi deployments over the past twelve months, most of them relying on bridge infrastructure that was written quickly to capture early liquidity. Wrapped Bitcoin tokens on these chains — eBTC, WBTC variants, and similar — are typically controlled by small teams with admin keys that predate formal security reviews.
The question Echo raises is not unique to Echo. How many protocols on these new chains hold minting authority over bridged Bitcoin or other external assets in a single-sig key with no timelock? That information is not disclosed by default. It becomes visible only when something goes wrong.
A timelock on admin functions does not prevent a key compromise, but it creates a window for detection and intervention before tokens reach external liquidity. Multisig requires coordination to exploit. Neither is a complete solution; both raise the cost of this specific attack vector materially.
May 2026 context
This is the fourteenth confirmed crypto exploit in May 2026, following the $10.7 million THORChain exploit on May 15 and the $11.5 million Verus-Ethereum bridge drain on May 18. April 2026 ended as the worst month for crypto losses since the $1.4 billion Bybit breach in February 2025, with $606 million lost across twelve incidents — two Lazarus Group attacks against Drift Protocol ($285M) and KelpDAO ($292M) accounting for roughly 95% of that total.
The Echo incident adds to a pattern in which bridge infrastructure — the connective tissue between chains — accounts for a disproportionate share of losses. The Monad network itself was unaffected. The vulnerability was upstream, in the key management decisions made when Echo's Monad deployment was set up.
Echo has said a security review is underway. It has not disclosed a timeline for resuming cross-chain transactions or the results of any investigation into how the admin key was compromised.