Bitcoin-focused DeFi protocol Echo Protocol lost roughly $77 million after an attacker exploited a compromised admin key to mint about 1,000 unauthorised eBTC tokens on the Monad blockchain, according to a Tuesday post by blockchain security firm PeckShield. The minted tokens were then used to borrow $3.45 million in wrapped bitcoin (WBTC) against funds sitting in the money market and reward layer of lending protocol Curvance, before the proceeds were laundered through Tornado Cash.
Echo Protocol said it has since regained control of the admin keys and burned the remaining 955 eBTC still held by the attacker. The team has paused cross-chain functionality for the Monad deployment and completed a contract upgrade to restrict the affected operations, while keeping the Aptos bridge open but suspending bridge operations as a precaution pending review.
Why it matters
The attack lands in the middle of a brutal run for DeFi. In recent weeks, Drift Protocol and KelpDAO were each drained of well over $200 million, putting 2025 on track to rival the worst exploit years on record. Echo is smaller than those venues, but the pattern is the same: a single compromised admin key — not a clever smart-contract bug — was the entry point, which is the failure mode auditors and risk teams have been warning about for years. eBTC is a synthetic Bitcoin wrapper used to deliver BTC-denominated liquidity and yield; on a chain as new as Monad, an exploit of this size is a credibility test for the entire deployment.
Market impact
The Echo team framed the incident as contained — admin keys recovered, residual supply burned, Curvance exposure limited to the $3.45M WBTC loan. Investors will watch whether that WBTC position can be recovered from the attacker or from Tornado-Cash-mixed wallets, and whether the Aptos-side Echo deployment resumes cleanly. For Monad, a launch-era exploit of this magnitude will draw scrutiny to admin-key hygiene and bridge design across the rest of its DeFi stack.
Frequently asked questions
-
How did the Echo Protocol exploit happen?
An attacker used a compromised admin key to mint about 1,000 unauthorised eBTC tokens on the Monad blockchain, then used them to borrow $3.45M in WBTC on Curvance and launder the proceeds through Tornado Cash.
-
How much was stolen from Echo Protocol?
Roughly $77 million worth of eBTC was minted without authorisation, of which 955 eBTC still held by the attacker was later burned by the Echo team after it regained control of the admin keys.
-
What has Echo Protocol done in response?
Echo said it recovered the admin keys, burned the attacker's remaining 955 eBTC, paused cross-chain functionality on the Monad deployment, upgraded the relevant contract, and suspended Aptos bridge operations as a precaution.
-
Was the Curvance money market affected?
The attacker borrowed $3.45M in WBTC against funds in Curvance's money market and reward layer, making Curvance the on-chain venue with direct exposure to the laundered proceeds.
-
How does this fit into the broader DeFi exploit trend?
The Echo attack follows Drift Protocol and KelpDAO, each drained of well over $200M in recent weeks, marking one of the worst stretches of DeFi exploits on record and putting 2025 on track to rival prior peak-loss years.
CoinDesk