On May 19, 2026, DeFi protocol Echo Protocol lost $76.7 million. An attacker minted 1,000 synthetic Bitcoin (eBTC) using a compromised admin key on the Monad blockchain. The smart contract had no bugs. The failure was entirely operational.
PeckShield and Lookonchain tracked the suspicious transactions within minutes of the attack. The attacker executed several minting operations in quick succession. This exploit ranks third largest in DeFi for 2026. The hacker still holds 955 eBTC worth around $73 million.
What Happened: Admin Key, Not a Code Bug
Echo Protocol is deployed on Monad, a relatively new EVM-compatible L1 blockchain built for parallel transaction processing. The protocol focuses on Bitcoin liquidity: aggregating BTC, offering liquid staking, restaking, and yield generation. eBTC is a synthetic asset letting users put Bitcoin to work in DeFi without selling their coins, similar to wBTC but built for Monad's ecosystem.
Developer "Marioo" published the first technical breakdown. The eBTC contract "worked exactly as designed." No code vulnerability existed. The attacker obtained the admin key and used four gaps in the protocol's configuration.
Those gaps: the admin role used a single signature with no multisig; no timelock existed for critical operations; there was no minting cap for eBTC and no rate limit; Curvance did not check whether freshly deposited eBTC collateral was backed by real assets. Together, these gaps let the attacker mint 1,000 eBTC without triggering a single automatic stop.
Laundering Route: Curvance, Ethereum, Tornado Cash
The attacker did not move all funds at once. First, they deposited 45 eBTC ($3.45M) into Curvance as collateral and borrowed 11.3 wBTC ($868K) against it. They then bridged wBTC to Ethereum, swapped it for ETH, and sent 384 ETH (roughly $822K) to the Tornado Cash mixer.
Curvance detected the anomaly and paused the eBTC market on its own. Its own smart contracts were not compromised. The protocol became an unwitting link in the laundering chain.
The remaining 955 eBTC worth ~$73 million still sits on the attacker's addresses. About 5% of the total has been laundered so far. Large-scale hackers typically hold most stolen funds for weeks while on-chain monitoring activity cools down.
Five Configuration Gaps That Enabled the Attack
No complex exploit was needed. A compromised key plus absent guardrails was enough. Each gap existed independently, but together they removed every automatic obstacle to minting tokens at will.
Multisig and timelock became baseline standards for mature DeFi protocols following the hack wave of 2022-2023. The accepted minimum: 2-of-3 multisig for admin functions and a 24-to-72-hour timelock for irreversible operations. A timelock gives teams a window to catch suspicious transactions before they run. Echo Protocol skipped both. The cost was $76.7 million.
Responses from Echo Protocol, Curvance, and Monad
Echo Protocol suspended all cross-chain transactions and confirmed an ongoing investigation. No compensation details for affected users have been released. The team promised updates through official channels as the situation develops.
Curvance blocked the eBTC market after detecting the anomaly. Its own contracts were unaffected. The block came after the attacker had already moved funds through the platform.
Monad faced an awkward position. The network itself was not touched. Co-founder Keone Hon confirmed on social media that the chain "is not affected and is operating normally." Still, a young L1 actively recruiting protocols absorbed a reputational hit. DeFi application security and base-layer security are separate concerns, and builders on Monad bear full responsibility for their own operational hygiene.
DeFi in 2026: Context and Scale
At least 12 protocols were compromised in May 2026 alone, according to PeckShield. Echo Protocol is the third-largest DeFi exploit of the year. The two bigger ones came earlier: Drift Protocol at $285M and Kelp DAO at $292M in April.
The week before this hack brought three more incidents. Verus Protocol lost $11.6M through a fake cross-chain message. THORChain halted trading over suspected $10M in suspicious activity. Transit Finance lost $1.88M through a deprecated contract nobody updated.
The pattern across 2026 hacks is consistent. Most attacks no longer target code bugs. Attackers go after governance weak points, specifically admin keys, outdated contracts without maintenance, and team process failures. Smart contract audits alone are not enough. Echo Protocol is a clear example: the code passed review. The ops did not.
Comments
Your email address will not be published. Required fields are marked *