An attacker drained $1.7 million from Taiko's bridge and ERC20 vault on June 22, 2026, after a private key used for Intel SGX enclave signing was left exposed in the project's public taikoxyz/raiko GitHub repository. Taiko halted block production and froze all bridge withdrawals within hours. No flaw in Taiko's on-chain logic was needed; the leaked key was enough.
How the attacker exploited the leaked key
The compromised credential was the signing key for Raiko, Taiko's multi-prover stack. With it, the attacker registered a malicious prover and submitted forged cross-chain withdrawal proofs to Ethereum. The on-chain verifier accepted those proofs without any matching deposits on Taiko's source chain, releasing funds from the bridge and ERC20 vault that were never locked there. A thirdweb post-mortem confirmed the attack path: forged withdrawal requests cleared on Ethereum without corresponding MessageSent events on Taiko's source chain.
Response, containment, and token fallout
Before the freeze, approximately 2 million TAIKO tokens worth roughly $170,000 were transferred to an account on MEXC. After pausing both the L1 Bridge and ERC20 Vault contracts and halting block production, Taiko's team confirmed containment at around 2 a.m. ET, per CoinDesk. The team urged remaining users to withdraw funds and asked centralized exchanges to suspend TAIKO deposits.
The TAIKO token fell more than 20% from midnight UTC on the news, per CoinDesk. Crypto Times reported the token reaching $0.07294 on the day.
Bridge exploits in 2026
The $1.7 million loss is modest by 2026 standards. Bridge infrastructure has been the year's dominant attack surface: more than $340 million drained across at least 14 separate exploits, including $292 million from the Kelp DAO bridge in April, per CoinDesk. For Taiko, the incident is a credentials failure rather than a protocol flaw: a private key committed to a public repository was all the attacker needed.
