Echo Protocol Probes eBTC Mint on Monad; Bridge Paused, Curvance Market Isolated After Suspected Admin-Key Compromise

Meta Description: Echo Protocol investigates eBTC mint on Monad; about $816K stolen as bridge is paused. Curvance isolates affected market; Echo says 955 eBTC burned.

Echo Protocol is investigating a security incident on Monad after on-chain analysts flagged an attacker who minted 1,000 eBTC and used part of the position to extract WBTC liquidity via Curvance, prompting Echo to suspend all cross-chain transactions while the review proceeds. The episode underscores persistent risks at the intersection of bridges, synthetic assets and lending markets that can transmit losses across chains and potentially burden liquidity providers.

Market Movement

The reported exploit arrived as broader crypto benchmarks steadied. At press time, the total cryptocurrency market capitalization stood at $2.54 trillion, with market conditions described as hovering above key support on TradingView. The incident did not immediately trigger a wider market dislocation, but it became an intra-day focal point for risk discussions around DeFi architecture and bridge governance.

Trading Activity

The sequence began with a public alert from on-chain analyst DCF GOD, who warned that Echo “may be hacked on Monad.” A follow-up post pointed to a transaction on May 18 at 21:21:32 UTC that showed 1,000 eBTC moving on Monad. Lookonchain subsequently mapped a more detailed flow, reporting that the attacker minted 1,000 eBTC valued at about $76.64 million, deposited 45 eBTC worth roughly $3.45 million into Curvance, borrowed 11.3 WBTC worth about $867,000, bridged that WBTC to Ethereum, swapped it for 385 ETH worth about $821,000, and deposited the ETH into Tornado Cash. Lookonchain added that the attacker still held 955 eBTC valued at about $73.2 million at the time of its post.

Phylax Systems founder and CEO Odysseas Lamtzidis said the trail indicated the issue did not originate with Curvance’s lending logic but with permissions on the eBTC side. According to his analysis, the eBTC administrator granted DEFAULT_ADMIN_ROLE to an external address, which then revoked the original admin, self-assigned MINTER_ROLE, minted 1,000 eBTC, posted 45 eBTC as collateral on Curvance, and borrowed roughly 11.296 WBTC. He characterized the pattern as consistent with an “admin-key/role compromise.”

Industry Reaction

Echo confirmed the incident and suspended its bridge while it investigated, stating that all cross-chain transactions would remain halted during the review. The project later issued an update acknowledging “unauthorized minting and associated fund loss” involving eBTC on Monad and said its investigation indicated the issue stemmed from a compromised admin key affecting the Monad deployment. Echo said approximately $816,000 was impacted on Monad based on current findings, that the Monad network itself was not affected, and that the team had regained control of its admin keys and burned the remaining 955 eBTC that had been in the attacker’s possession.

Curvance, which processed the eBTC collateral and the WBTC borrow tied to the incident, paused the affected Echo eBTC market while the teams assessed exposure. The lending protocol indicated that it had no evidence of a compromise to its smart contracts and emphasized that its isolated-market architecture limited potential spillovers to other markets. Monad CEO Keone Hon separately clarified that the Monad network continued operating normally and echoed estimates that roughly $816,000 appeared to have been stolen as a result of the exploit affecting Echo Protocol’s eBTC.

Investor Sentiment

The rapid suspension of Echo’s bridge and the targeted pause on Curvance contained immediate contagion risks, but market participants focused on three operational questions: what happened to the unauthorized eBTC supply, whether Curvance would be left with any bad debt tied to the WBTC borrow, and when Echo’s cross-chain functionality could be restored. Echo’s subsequent statement that it had burned the remaining 955 eBTC and regained control of its admin keys directly addressed the supply concern, though users and liquidity providers are likely to watch for further detail on potential residual obligations within the lending market and the precise permissions or contracts implicated in the exploit path.

The messaging cadence from Echo, Curvance and Monad helped set expectations. Echo’s emphasis on bridge suspension signaled a priority to ring-fence cross-chain pathways until a root-cause analysis is complete. Curvance’s isolated-market response, together with its assertion that its contracts remained intact, aimed to limit lender and borrower uncertainty outside the affected pool. Monad’s network-level clarification was designed to assure validators, users, and builders that core chain operations were not disrupted by an application-layer issue.

Broader Market Context

The Echo exploit extends a stretch of security setbacks for crypto infrastructure. On May 15, THORChain lost more than $10 million across Bitcoin, Ethereum, BNB Chain and Base, including 36.75 BTC and roughly $7 million in additional assets. Days later, the Verus-Ethereum Bridge was drained for about $11.5 million; reports said the attacker took 103.6 tBTC, 1,625 ETH and 147,000 USDC before consolidating the haul into roughly 5,402 ETH. The clustering of incidents across bridge and cross-chain tools has kept operational risk squarely in focus for professional market-makers, protocols and retail users navigating DeFi’s composability.

The mechanics of the Echo case align with a familiar failure pattern. Once a bridged or synthetic asset is treated as valid collateral within a lending protocol, a compromise on the supply side can translate into real liquidity losses elsewhere—even when only a portion of the notional position is converted. In this instance, the alleged attacker monetized a slice of the minted eBTC by borrowing WBTC on Curvance, moving assets off Monad, converting to ETH and routing funds through a mixer—steps that can complicate asset recovery and blur the ultimate endpoint of proceeds, even if later interventions neutralize the remaining minted supply.

Trading Activity

Intraday on-chain behavior reflected a mixture of alert-driven responses and defensive architecture. DCF GOD’s initial warning catalyzed further scrutiny, while Lookonchain’s mapping of the wallet path offered a near-real-time narrative for traders tracking potential outflows to Ethereum and mixers. Curvance’s pause on the single affected market exemplified an increasingly standard containment technique among lending protocols, where isolated markets can be disabled to halt collateralized borrowing and prevent pricing or oracle feedback loops without shuttering unrelated venues.

The amounts cited in public posts help frame the immediate financial effect. While Lookonchain’s tallies placed the originally minted eBTC at around $76.64 million in value and enumerated the steps taken to borrow, bridge and exchange funds, Monad’s leadership and Echo’s update converged on an impact of approximately $816,000 on Monad tied to the exploit route. The difference between the larger notional mint and the smaller realized loss so far highlights how quickly design decisions—such as market isolation, mint controls, or post-incident burns—can influence the ultimate scale of harm to lenders, liquidity pools and users.

Industry Reaction

Technical observers concentrated on permissions, role scopes and key management. Lamtzidis’s assessment that the eBTC admin granted DEFAULT_ADMIN_ROLE to another address—followed by a cascade of revocations, role escalations and minting—shifts focus to governance and operational security rather than code-level defects in Curvance’s lending contracts. That framing matters for market structure: if the lending protocol’s codebase is intact, remediation can target the compromised deployment and bridge logic without requiring broader contract upgrades or pausing unrelated markets longer than necessary.

Echo’s disclosure that it had “successfully regained control of our admin keys” and burned the remaining 955 eBTC addresses two critical containment objectives: preventing further unauthorized issuance and neutralizing the portion of supply still held by the attacker at the time of the update. The team’s statement that it continues to coordinate with “ecosystem partners” and apply additional precautionary measures signposts a post-incident workflow common across DeFi—tightening operational controls, checking for cross-chain exposure, and clarifying recovery or restitution paths where applicable.

What This Means for Crypto Markets

The episode is a reminder that bridge design, collateral acceptance criteria and liquidity routing are among DeFi’s most exposed attack surfaces. Even when a base chain is unaffected, a compromised synthetic asset or wrapped token can become a funding source for borrowed liquidity elsewhere, creating concentrated risk for lending markets that accept such instruments as collateral. Architecture choices—such as isolated pools, conservative collateral lists, robust admin-key controls and transparent role-management—can limit the blast radius when an upstream asset fails.

For traders and liquidity providers, the central questions now are operational rather than directional. Market participants will look for Echo’s root-cause analysis of the compromised admin key on Monad, clarity on any residual obligations tied to the WBTC borrow at Curvance, confirmation of which bridge permissions or contracts were implicated, and a timeline for safely resuming cross-chain transactions. Monad’s assertion that the network is operating normally, coupled with Curvance’s stated lack of smart-contract compromise and isolated-market architecture, provides a framework for gradual normalization—contingent on credible post-mortems and verifiable changes to key management.

In the near term, attention is likely to remain on the affected Echo eBTC market on Monad as the key pressure point users watch to gauge whether the exploit has been fully contained or merely slowed. Echo’s update that it burned the remaining 955 eBTC and regained control of admin keys addresses the largest supply overhang, while the approximate $816,000 in identified loss offers a preliminary anchor for sizing immediate financial impact. With the total market cap near $2.54 trillion, the systemic footprint appears limited, yet the operational lessons are broadly relevant across protocols that depend on bridged or synthetic collateral.

The incident also reinforces that composability—DeFi’s core feature—is inseparable from shared security assumptions. As protocols interconnect, governance and permissioning on one platform can have direct consequences for liquidity on another. The Echo case, following recent hits to THORChain and the Verus-Ethereum Bridge in mid-May, will likely keep security reviews, role audits and collateral whitelists at the top of agendas for risk teams across the ecosystem.