Echo Protocol Hack May Have Stemmed From Stolen Admin Key, Not Smart Contract Flaw

The hack of Monad-based decentralized finance project Echo Protocol may have been caused by a stolen administrator private key rather than a smart contract flaw.

Cointelegraph reported on May 19 that blockchain developer Marioo described the incident as a compromised admin private key, not a smart contract bug. In his analysis, the breach was closer to an operational failure than a technical defect.

Blockchain security firms PeckShield and Lookonchain had earlier reported that the attacker minted about 1,000 eBTC on Echo Protocol without authorization. The losses are estimated at about $76.7 million.

Marioo said the eBTC contract itself functioned as designed. He cited a single-admin signature structure, the absence of a timelock, no minting cap and insufficient vetting of new collateral as factors behind the incident.

The hacker deposited about 45 eBTC as collateral on Curvance, a DeFi liquidity and lending protocol, and borrowed about 11.3 WBTC. The assets were then bridged to the Ethereum network and exchanged for ETH. About 384 ETH was later moved to Tornado Cash.

According to DeBank, the attacker still holds about 955 eBTC, worth roughly $73 million.

Echo Protocol said it is investigating the security incident tied to its Monad-based bridge and has halted all cross-chain transactions. Curvance also temporarily suspended the related market after detecting unusual activity, but said there were no signs its own smart contracts had been compromised.

Keone Hon, Monad's co-founder, said the network itself was unaffected and continues to operate normally.