Echo Protocol Hack Autopsy: The $76 Million Exploit That Wasn’t Really a Hack

2026 DeFi losses crossed $1 billion in four months, with April alone draining $634 million across 28+ incidents, the worst month on record. Drift ($285M) and KelpDAO ($292M) alone accounted for $577 million of Aprils losses, and neither was a code exploit. DefiLlamas 2026 hack breakdown tells the same thing. The biggest slices are LayerZero bridge exploits (18%), compromised admin keys (16%), spoof tokens (14%), and private key compromises (11%). Combined, operational and key-management failures account for the majority of all stolen value this year. Smart contract bugs like re-entrancy and oracle manipulation barely register. Echo Protocol just became the latest data point. On May 18, an attacker broke into the Echo Protocol on Monad and printed 1,000 fake eBTC for themselves. Thats $76.7M on paper. The problem is, fake tokens dont buy you anything unless you can trade them for something real. So they took a small chunk, dropped it into Curvances lending app as collateral, and borrowed real Bitcoin against it. Then bridged that Bitcoin to Ethereum, swapped it for ETH, and ran it through Tornado Cash. Final take: around $816,000. Everyones calling it $76.7 million but the real number is $816,000, and why those two numbers are so far apart is the main story here. Earlier today, Echo Protocol identified unauthorized activity involving eBTC on Monad that resulted in unauthorized minting and associated fund loss.Our investigation indicates the issue originated from a compromised admin key affecting the Monad deployment. Based on current Echo Protocol (@EchoProtocol_) May 19, 2026 This breakdown covers what happened, how, and what it says about DeFi security right now. The bottom line: The contract was fine. A stolen admin key and lazy controls did everything else, and thats how most of 2026s DeFi losses are happening. Post Mortem (The Summary) Echo Protocol was not hacked through bad smart contract code. The attacker stole or accessed an admin key. That admin key controlled minting rights for Echos eBTC token on Monad. One private key was enough to create fake Bitcoin-backed tokens. The attacker minted 1,000 fake eBTC, worth about $76.7 million on paper. But those tokens had no real BTC backing. They could not cash out the full amount because Monad liquidity was thin. So they used 45 fake eBTC as collateral on Curvance. Curvance accepted the fake eBTC as normal collateral and let the attacker borrow real WBTC. The attacker escaped with about $816,000 in real value, not $76.7 million. Echo later burned the remaining 955 fake eBTC and paused affected functions. Monad itself was not hacked. Curvances main protocol was not directly hacked either. The failure came from Echos admin setup and Curvance trusting newly minted collateral. The core lesson: DeFi attackers are now targeting keys, admins, bridges, infrastructure, and team operations more than smart contract bugs. Basic protections could have reduced or stopped this: multisig admin control, timelocks, mint caps, rate limits, and collateral checks. Echo got lucky. The attacker only failed to drain more because there was not enough liquidity to cash out the fake tokens. The Players Heres the full breakdown of what happened, and how. Echo Protocol A BTCFi (Bitcoin DeFi) project. Their pitch: take your BTC, get a yield-bearing wrapped version of it that works in DeFi. Their home base is Aptos, where the token is called aBTC. They hit a peak TVL of $878 million on Aptos in May 2025, currently sitting around $254 million. Echo expanded to Monad as part of Monads mainnet ecosystem push. On Monad, their wrapped BTC token is called eBTC. This is critical: aBTC and eBTC are completely separate, non-bridgeable assets. Theyre parallel deployments, not connected. The hack hit eBTC on Monad only. Monad A new high-performance parallelized EVM L1. One of the hyped chains of 2025-26. Just out of the mainnet, with lots of protocols deploying fresh. Echo is one of them. Monad itself was NOT compromised in any way. Co-founder @keoneHD confirmed the network ran normally throughout. It was a protocol-level failure on top of Monad. To clarify, the Monad network is not affected and is operating normallySecurity researchers in their review have determined that ~$816,000 appears to have been stolen as a result of this exploit of @EchoProtocol_ 's eBTC Keone Hon (@keoneHD) May 18, 2026 Curvance A lending protocol deployed on Monad. Functions like Aave but with isolated markets, where each collateral asset lives in its own siloed pool so a compromised asset cant infect the rest of the lending protocol. They had listed eBTC as a collateral asset. Tornado Cash Sanctioned ETH mixer. You send ETH in, you get ETH out from a different wallet, and break the on-chain trail. Standard exit tool for hackers. Exploit 🚨According to @dcfgod, @EchoProtocol_ on @monad has been exploited.The attacker reportedly minted 1,000 $eBTC worth $76.7M and used a previously tested exploit flow to extract funds through Curvance.So far, the exploiter has: Deposited 45 $eBTC ($3.45M) pic.twitter.com/933n9bbq3X Onchain Lens (@OnchainLens) May 18, 2026 What Got Exploited Echos eBTC token on Monad is a standard ERC-20 contract that uses OpenZeppelins role-based access control system. This is industry standard, used by basically every serious DeFi project. Two roles matter in its setup: DEFAULT_ADMIN_ROLE: the master role. Can grant or revoke any other role on the contract. MINTER_ROLE: can call mint() and create new eBTC tokens. Normally, only Echos team holds these. Minting only happens when real BTC gets locked somewhere, and the team mints the matching eBTC. Thats the entire trust model behind a wrapped token. Heres where Echo messed up. The DEFAULT_ADMIN_ROLE sat on a single EOA, basically just a normal wallet with one private key behind it. And the wallet had no safety nets. Whoever held that key could mint as much as they wanted, whenever they wanted, with nothing to slow them down. So the entire $254M+ Echo ecosystem on Monad was, in security terms, sitting behind one private key. That key got stolen. Nobodys said how yet. Could be phishing, malware on a team laptop, an infra breach, an insider, secrets leaked in a repo, supply chain attack through a dev tool. Echo hasnt disclosed. The Attack Step by Step Date: May 18, 2026, around 5:55 PM ET Step 1: Attackers use the stolen admin key to grant themselves DEFAULT_ADMIN_ROLE on a fresh wallet. Theyre now admin too. Step 2: From that new admin role, they grant themselves MINTER_ROLE. They can now mint. Step 3: They call mint(attacker_wallet, 1000e8). 1,000 eBTC shows up in their wallet. Notional value $76.7M. Real BTC backing: zero. These tokens are completely fake, phantom claims on Bitcoin that dont exist anywhere. Step 4: They revoke the original Echo admin and their own admin role too. Cleanup move so it looks less suspicious on-chain. From the outside, it just looks like a random wallet holding 1,000 eBTC. At this point, the peg is mathematically broken. There are 1,000 more eBTC tokens than there is BTC backing them. But the attacker hasnt actually taken anything yet. Fake tokens are worthless unless you can convert them into real money. The Cashout Flow You cant just dump 1,000 fake eBTC on a DEX. Monads DEXs dont have anywhere close to that liquidity. Youd crash the price to zero before extracting anything, and arbitrageurs would catch it instantly. So the attacker went to a lending market instead. Step 5. Deposit 45 eBTC ($3.45M paper value) into Curvance as collateral. Curvance accepts it because, from the contracts view, eBTC is eBTC. No oracle or check that separates freshly minted fake eBTC from legit BTC-backed eBTC. Thats the second failure of this hack. Lending markets just accept new collateral at face value without checking where it came from. Step 6. Borrow 11.29 WBTC against it, about $868K of real wrapped Bitcoin. WBTC is the major BTC-on-Ethereum token, deep liquidity, fully backed. They now have $868K of real value, secured by $3.45M of fake collateral theyre never coming back for. Step 7. Bridge the WBTC to Ethereum. Thats where liquidity lives and where Tornado works. Step 8. Swap WBTC to ~384 ETH on Ethereum (~$822K). Step 9. Run the 384 ETH through Tornado Cash. Trail breaks. Funds land in fresh wallets that cant be traced back. Total real money out: approximately $816,000. How Echo Responded Within hours of the hack going public, Echo reclaimed the admin key, burned the 955 eBTC still sitting in the attackers wallet (which no longer exists), and paused all cross-chain functionality on Monad. They also paused the Aptos bridge and Aptos lending even though Aptos was clean, just to be safe. Pushed a contract upgrade on Monad to restrict the affected operations and said theyd patch their other EVM bridge deployments too. Curvance paused the eBTC market, confirmed that their own contracts were fine, and noted that their isolated market design prevented the damage from spreading to other lending pools. Keone from Monad clarified the chain was untouched and pegged the actual loss at around $816K. The Breakdown The gap between $76.7 million and $816,000 is the whole story. Curvance was the only viable exit, and its depth capped the borrow at approximately $868,000. eBTC minted1,000 (notional $76.7M)Deposited to Curvance45 eBTCWBTC borrowed11.29 (~$868K)Sent through Tornado~384 ETH (~$822K)Actually stolen~$816KeBTC burned by Echo955Aptos exposure~$71KECHO drawdown~11-12% The other 955 eBTC had nowhere to go until Echo burned it. Monads thin liquidity saved Echo from a much bigger loss. On Ethereum, this wouldve been close to $76M out the door. Why this was an operational hack, not a smart contract hack The code wasnt the issue. It worked the way it was supposed to. The real problem was how Echo set things up around the contract: The admin role was held by a single wallet instead of a multisig. Stealing a single private key was enough to take over the entire protocol. There was no time lock. When the attacker granted themselves admin and then minter rights, those changes went live immediately. No delay, no window for the team to notice and respond. The contract had no maximum supply. Minting 1,000 eBTC with zero BTC backing was technically allowed by the rules of the contract itself. No rate limit either. The attacker minted the entire 1,000 in a single transaction, rather than being forced to spread it out. Curvance accepted the freshly minted eBTC as collateral without checking whether it was legitimately backed. The lending market just saw eBTC tokens in a wallet and treated them the same as real ones. None of these are obscure or experimental fixes. Multisigs, timelocks, mint caps, and supply checks are stuff serious DeFi protocols have been shipping for years. Echo just didnt bother with any of them. May 2026 looks like this Echo is the 14th hack this month.The year so far: ProtocolLossVectorKelpDAO (Apr)$292MRPC poisoning + DDoS (Lazarus)Drift$285MSocial engineering (Lazarus, UNC4736)THORChain (May 15)$10M+Vault breachVerus bridge (May 17)$11.6MCross-chain verificationEcho (May 18)$816KAdmin keyTransit Finance$1.88MDeprecated contract Approximately $328.6 million lost to bridge hacks in 2026 across 8 incidents. None of these were Solidity bugs. Keys, signers, RPC endpoints, off-chain verifiers, thats where the money is leaving now. The attackers moved up the stack. A few from this year worth paying attention to: Drift (April): Not a technical exploit. UNC4736 (North Korea) spent six months social engineering Drift employees, then drained $285M in 12 minutes. Six months of prep, 12 minutes of execution. Thats a military op, not a hack. KelpDAO (17 days later): Same group, completely different vector. They poisoned LayerZeros RPC infrastructure and forged cross-chain messages for $292M. State-sponsored teams running multiple playbooks in parallel. AI is showing up too: Google confirmed the first AI-powered mass exploit on May 11 (AI found a zero-day and wrote bypass code for 2FA). GoPlus reported a 231% MoM jump in Web3 losses partly tied to AI. CrowdStrike puts the average eCrime breakout time at 29 minutes, with the fastest at 27 seconds. The attack side is automating, defense mostly isnt. Resolv Labs (March): Admin key compromise on a stablecoin issuer. Attacker minted 80M unbacked USR, drained $25M, and USR depegged by 80%. Same root cause as Echo, completely different protocol type. The pattern doesnt care what youre building. Ondo Finance put it bluntly in their post-incident analysis: there is no single class of vulnerability to defend against. Thats the part most protocols still havent internalized. So when Echo got drained through a stolen admin key, it didnt happen in a vacuum. It happened during the most hostile threat environment DeFi has ever seen, and the protocol was set up as if it were still 2022. So what? DeFi spent the last five years getting good at smart contract security. Audits, bug bounties, formal verification, all of it. So the attackers stopped targeting the code and started targeting everything else. Keys, infrastructure, employees, signers. None of that gets audited. For any wrapped BTC protocol, the only security question that actually matters is who can mint, and how hard is it for someone to take that power from them. If the answer is a multisig with a timelock, a mint cap, and a lending market that checks where new collateral came from, you have a real protocol. If the answer is one wallet with one key, you have $254M sitting there waiting to be taken. Echo was the second kind. The damage doesnt stay in one place either. Aave wasnt hacked in April, but it lost $5.4B in TVL within 48 hours of the KelpDAO exploit anyway. People just panicked and pulled their money out of everything. Thats what happens now. One protocol gets hit and the whole sector gets repriced. The fixes are not new. Theyve been around for years. Multisig the admin, timelock the changes, cap the supply, check the collateral. Its just that none of it makes a protocol more competitive on the front end, so nobody ships it until theyre the next headline. Echo got off easy because Monads liquidity was too thin for the attacker to fully cash out. The next protocol probably wont have that excuse.