Taiko's Bridge Gets a Bridge to Nowhere After $1.7M Exploit 🕳️

Taiko, an Ethereum layer-2 blockchain, confirmed a compromise of its chain state verification mechanism on Monday, prompting the project to urge users to withdraw assets from all bridges deployed on the network. "We have confirmed a compromise of Taiko's chain state verification mechanism," Taiko posted to X early Monday. "As a result, the security assumptions of all bridges deployed on Taiko can no longer be relied upon." The protocol added: "We strongly advise all users to withdraw their funds from all bridges deployed on Taiko immediately." Taiko said it was coordinating partners to contain the incident and had paused affected systems.

Crypto security firm Blockaid estimated that at least $1 million had been stolen, while Lookonchain and PeckShield put the figure as high as $1.7 million. Blockaid said the root cause appears to be a flaw in how the Taiko bridge validated source signals, stating that message proofs were accepted as valid on Ethereum without corresponding legitimate proofs on the Taiko blockchain. "This allowed the attacker to register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the ERC20 vault," Blockaid said. PeckShield reported that the exploiter had transferred 1.99 million Taiko (TAIKO) tokens worth around $189,000 to MEXC. TAIKO is currently trading down 98% from its 2024 peak at $0.084, according to CoinGecko. Blockchain intelligence firm Arkham shows Taiko exploiter wallets holding around $1.5 million, primarily in Ether (ETH).

The incident marks at least the 23rd crypto protocol exploit this month, according to DeFiLlama. The largest two June exploits so far have been Humanity Protocol and Syscoin Bridge, which lost over $30 million and $8 million, respectively. Friday's disclosure of a smart contract exploit on the Secret Network resulted in the theft of $4.67 million worth of assets, and on Saturday around $1.1 million was drained from the OLPC/LABUBU liquidity pool on PancakeSwap. Other notable June exploits include Aztec Connect, RetoSwap, and Raydium AMM.