Taiko stopped block production on June 22, 2026, after an attacker found an RSA-3072 Intel SGX signing key committed in plaintext to the project's public GitHub repository, used it to forge cross-chain withdrawal proofs, and drained approximately $1.7 million from the protocol's L1 bridge and ERC20Vault.
How the attack worked
The exposed credential, a file called enclave-key.pem inside the public taikoxyz/raiko repository, let the attacker register attacker-controlled SGX prover instances via Taiko's SgxVerifier.registerInstance contract. With those instances accepted by the network, the attacker produced fraudulent L2 state attestations that Taiko's verification contracts treated as legitimate. The exploit ran in two phases: fake attestations triggered processMessage() to mark withdrawals as RETRIABLE, then retryMessage() executed with minimal additional checks and released funds from the bridge and ERC20Vault contracts on Ethereum mainnet. The drained assets were user funds bridged onto Taiko's network; on-chain records show the attacker moved approximately 2 million TAIKO tokens to a MEXC exchange account.
Response and market impact
BlockSec Phalcon identified the exposed Raiko SGX enclave signing key as the likely root cause. Taiko's Security Council paused the bridge and ERC20Vault contracts; proposers halted block production. The team contained the exploit by approximately 2 a.m. ET and published an advisory directing all users to "withdraw their funds from all bridges deployed on Taiko immediately," adding that "the security assumptions underlying all bridges on Taiko could no longer be relied upon." The team also asked centralized exchanges to suspend TAIKO deposits. The TAIKO token slumped more than 20% from midnight UTC to approximately $0.07294, with a market cap of $14.5 million at the time of disclosure.
[
{
"claim": "Total funds drained",
"value": "approximately $1.7 million",
"source": "CoinDesk",
"url": "https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10",
"retrieved": "2026-06-22"
},
{
"claim": "Key type",
"value": "RSA-3072 private key used for Intel SGX enclave signing",
"source": "CryptoTimes",
"url": "https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/",
"retrieved": "2026-06-22"
},
{
"claim": "Key filename",
"value": "enclave-key.pem",
"source": "CryptoTimes",
"url": "https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/",
"retrieved": "2026-06-22"
},
{
"claim": "GitHub repository",
"value": "taikoxyz/raiko",
"source": "CryptoTimes",
"url": "https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/",
"retrieved": "2026-06-22"
},
{
"claim": "Registration vector",
"value": "register attacker-controlled SGX instances via SgxVerifier.registerInstance",
"source": "CryptoTimes",
"url": "https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/",
"retrieved": "2026-06-22"
},
{
"claim": "Exploit phases",
"value": "fake attestations enabled processMessage() calls to set withdrawal statuses to RETRIABLE. Then, retryMessage() executed with minimal additional checks, releasing funds from the bridge and token vault",
"source": "CryptoTimes",
"url": "https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/",
"retrieved": "2026-06-22"
},
{
"claim": "Whose funds drained",
"value": "Users with assets bridged on Taiko's network; the attack targeted the ERC20Vault, affecting bridged Ethereum-based assets",
"source": "Decrypt",
"url": "https://decrypt.co/371769/ethereum-layer-2-taiko-withdraw-bridge-funds-security-breach",
"retrieved": "2026-06-22"
},
{
"claim": "TAIKO tokens moved to MEXC",
"value": "approximately 2 million TAIKO tokens",
"source": "CoinDesk",
"url": "https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10",
"retrieved": "2026-06-22"
},
{
"claim": "Root cause attributed to",
"value": "exposed Raiko SGX enclave signing key on GitHub",
"source": "BlockSec Phalcon via CoinDesk",
"url": "https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10",
"retrieved": "2026-06-22"
},
{
"claim": "Exploit contained by",
"value": "approximately 2 a.m. ET",
"source": "CoinDesk",
"url": "https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10",
"retrieved": "2026-06-22"
},
{
"claim": "User advisory (verbatim)",
"value": "We strongly advise all users to withdraw their funds from all bridges deployed on Taiko immediately",
"source": "Taiko official X, via Decrypt",
"url": "https://decrypt.co/371769/ethereum-layer-2-taiko-withdraw-bridge-funds-security-breach",
"retrieved": "2026-06-22"
},
{
"claim": "Security assumptions statement (verbatim)",
"value": "the security assumptions underlying all bridges on Taiko could no longer be relied upon",
"source": "Taiko official X, via Decrypt",
"url": "https://decrypt.co/371769/ethereum-layer-2-taiko-withdraw-bridge-funds-security-breach",
"retrieved": "2026-06-22"
},
{
"claim": "TAIKO token price drop",
"value": "slumped more than 20% since midnight UTC",
"source": "CoinDesk",
"url": "https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10",
"retrieved": "2026-06-22"
},
{
"claim": "TAIKO token price level",
"value": "$0.07294",
"source": "CryptoTimes",
"url": "https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/",
"retrieved": "2026-06-22"
},
{
"claim": "TAIKO market cap at disclosure",
"value": "$14.5 million",
"source": "CoinDesk",
"url": "https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10",
"retrieved": "2026-06-22"
}
]
