Echo Protocol eBTC Admin Key Attack Investigation Report
Date: May 27, 2026
Event: Echo Protocol eBTC Admin Key Attack
Attack Time: May 18, 2026 ~17:55 ET
Investigator: Onchain Shadow
Executive Summary
BTCFi protocol Echo Protocol's eBTC deployment on Monad suffered an admin key attack. The attacker obtained DEFAULT_ADMIN_ROLE, self-granted MINTER_ROLE, minted 1,000 units of unbacked eBTC (face value $76.7M), and cashed out approximately $816K in real assets through Curvance lending protocol before laundering through Tornado Cash. Due to insufficient liquidity in Monad DeFi ecosystem, 955 eBTC remained illiquid and were ultimately destroyed by the Echo team.
Key Lesson: A $254M+ TVL protocol with management permissions tied to a single EOA private key—one key is the entire line of defense.
Key Metrics
| Metric | Value |
|---|---|
| Fake Token Face Value | ~$76.7M (1,000 eBTC) |
| Actual Cash-Out Amount | ~$816K (384 ETH → Tornado Cash) |
| Face Value to Actual Ratio | 94:1 (due to liquidity insufficiency) |
| Destroyed Fake Tokens | 955 eBTC |
| Echo Aptos TVL | ~$254M |
| ECHO Token Decline | -11% (after news broke) |
Attack Flow Breakdown
Step 1: Obtain Admin Privileges
Attacker obtained control of eBTC contract's DEFAULT_ADMIN_ROLE. This permission was tied to a single EOA address (regular wallet, single private key) with no multisig protection, no timelock, and no rate limiting.
Step 2: Self-Grant Minter Role
grantRole(MINTER_ROLE, attacker_wallet)
Used admin privileges to grant themselves the minter role.
Step 3: Mint Fake eBTC
mint(attacker_wallet, 1000e8)
1,000 eBTC凭空出现。Face value $76.7M, real BTC backing: 0.
Step 4: Cover Tracks
Attacker revoked their own admin privileges, making on-chain traces less obvious. This was premeditated—the attacker knew investigators would first scan role authorization records.
Step 5: Cash Out via Curvance
- Deposited 45 fake eBTC (face value $3.45M) into Curvance as collateral
- Curvance had zero verification to distinguish real from fake eBTC—from the contract's perspective, eBTC is just eBTC
- Borrowed 11.29 WBTC (~$867,700)
Step 6: Cross-Chain Laundering
- Bridged WBTC to Ethereum mainnet
- Swapped to ETH
- Approximately 384 ETH ($821,700) deposited to Tornado Cash
Step 7: Remaining Fake Tokens Stranded
955 eBTC remained in attacker's Monad wallet, unable to cash out further due to liquidity exhaustion. Echo team subsequently destroyed these tokens.
Dual Failure Analysis
Failure 1: Echo Protocol — Single Private Key Managing $254M+ Protocol
- DEFAULT_ADMIN_ROLE tied to an EOA
- No multisig, no timelock, no minting cap, no rate limit
- Entire Monad deployment security equivalent to single private key security
Failure 2: Curvance — No Collateral Source Verification
- Accepted newly minted eBTC as collateral without verifying BTC backing
- Lending protocols should implement post-mint cooldown periods or whitelist mechanisms
- Isolated market design limited contagion but did not prevent single-asset exploitation
2026 DeFi Security Trends
| Trend | Percentage | Description |
|---|---|---|
| Admin key/private key theft | 70%+ | Primary attack vector in 2026 |
| LayerZero bridge exploits | 18% | Cross-chain infrastructure risk |
| Fake/deception tokens | 14% | Like the fake eBTC in this case |
| Smart contract vulnerabilities | <10% | Traditional attack vectors declining |
Major May 2026 Events
| Date | Project | Loss | Cause |
|---|---|---|---|
| 5/24 | StablR | $2.8M | 1-of-3 multisig key compromised |
| 5/22 | Polymarket | $600K+ | Exploitation |
| 5/22 | Verus Bridge | $8.5M (returned) | Malicious nodes + GG20 exploit |
| 5/21 | Map Protocol | 96% crash | 10 trillion tokens minted |
| 5/19 | Echo Protocol | $816K | Admin key compromised |
| 5/15 | THORChain | $10M | Malicious nodes |
| April | Drift | $285M | CCTP exploit |
| April | KelpDAO | $292M | Protocol attack |
Defense Recommendations
For Protocols
- Multisig Management: Minimum 2-of-3, recommended 3-of-5 + hardware wallets
- Timelock: Ownership changes require 24-48 hour delay
- Minting Cap: Single/daily minting limits
- Rate Limiting: Large mints trigger alerts and delays
- Role Separation: Admin/minter/pauser use different controllers
For Lending Protocols
- Collateral Source Verification: Newly minted tokens require cooldown before serving as collateral
- Minting Monitoring: Real-time monitoring of abnormal token supply growth
- Isolated Markets: Curvance's isolated market design limited contagion—well done
Pending Deep Investigation Areas
- Admin Key Compromise Method: Phishing/insider/supply chain/malware?
- Attacker On-Chain Footprint: Fund destinations after Tornado Cash deposit
- Curvance Bad Debt Handling: How are bad debts from 45 fake eBTC handled?
- Cross-Chain Bridge Security: WBTC bridging path from Monad to Ethereum
- Echo Aptos Deployment Comparison: Is aBTC management permissions equally vulnerable?
Data Sources
- BeInCrypto - Echo Protocol Hack Autopsy
- PIGlobalInvestments - Echo Protocol Hack on Monad
- Cointelegraph - Echo Protocol eBTC exploited
- BingX - ECHO token slides
- The Arabian Post - Echo breach exposes Bitcoin DeFi risks
- @dcfgod X post (initial exploit alert)
- @keoneHD (Monad co-founder) confirmation
Investigator: Onchain Shadow
Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.
🔒 Protect Your Crypto with ChainSentinel
ChainSentinel — AI-powered on-chain risk intelligence platform:
- Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
- Multi-Chain Monitoring — Ethereum, BSC, and more
- AI-Powered Analysis — Gemini-driven risk engine
👉 Try ChainSentinel Free | Pro Plan - $29/month
Stay safe on-chain. Get alerts before the next exploit.
Top comments (0)