Taiko halts Ethereum L2 after signing key leak drains $1.7 million

Taiko shut down block production on its Ethereum layer-2 network on June 22, 2026, after an attacker drained approximately $1.7 million by submitting forged withdrawal proofs, using a signing key the project had left exposed in a public GitHub repository, according to CoinDesk and security firm Quill Audits.

How the attack worked

An RSA-3072 private key for Raiko, Taiko's proof-generation component, had been committed openly to the taikoxyz/raiko public repository, where anyone could download it, per Quill Audits. That key is designed to stay sealed inside Intel SGX secure enclaves, hardware that signs attestations confirming transaction validity. With it accessible, the attacker registered their own enclave as a legitimate prover. Taiko's L1 contracts trusted any enclave whose key matched the stored MrSigner value, so the fraudulent attestations cleared verification without a secondary check. BlockSec independently reached the same root cause.

The attack ran in two steps: processMessage() marked fabricated withdrawals as retriable; retryMessage() then released the funds from the L1 Bridge contract (0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC) and ERC20Vault (0x996282cA11E5DEb6B5D122CC3B9A1FcAAD4415Ab) on Ethereum mainnet, with no matching deposits on the Taiko side, per Quill Audits. Roughly 2 million TAIKO tokens were routed to the MEXC exchange before the contracts were frozen. No real-time key theft or social engineering occurred; the entire attack traced back to the exposed file in the repository.

Network response

The team froze the main bridge and token vault by approximately 2 a.m. ET, halted all block production, urged users to pull funds from every Taiko bridge, and asked centralized exchanges to suspend TAIKO deposits, according to CoinDesk. Taiko said the exploit had been contained and committed to a full incident report.

Market impact

The TAIKO token fell more than 20% from midnight UTC on news of the exploit, with a market capitalization of $14.5 million at the time, according to CoinDesk. The incident fits a pattern of cross-chain messaging vulnerabilities that have cost more than $340 million across 2026, according to CoinDesk.