Taiko Tells Users to Bridge Out ASAP After $1.7M Exploit 🏃‍♂️

Taiko, an Ethereum layer-2 blockchain, confirmed a compromise of its chain state verification mechanism and urged users to immediately withdraw funds from all bridges deployed on the network. In a security notice posted Sunday, the project said the security assumptions underlying all bridges on Taiko could no longer be relied upon, and that it was coordinating with its Security Council and ecosystem partners to contain the incident, pause affected systems, and pursue technical and legal responses. "We strongly advise all users to withdraw their funds from all bridges deployed on Taiko immediately," the team wrote on X.

Blockchain security firm Blockaid said the root cause appears to be a flaw in how the Taiko bridge validated source signals, with message proofs accepted as valid on Ethereum without corresponding legitimate proofs on the Taiko blockchain. "This allowed the attacker to register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the ERC20 vault," Blockaid said. Separately, BlockSec Phalcon attributed the breach to a Raiko SGX enclave signing key that had been publicly accessible on GitHub, writing on X that "because the enclave signing key was publicly accessible, the SGX prover trust model may have been broken" and that "the exposed key may have allowed the attacker to register attacker-controlled SGX instances via SgxVerifier.registerInstance." Blockaid estimated losses of at least $1 million, while Lookonchain and PeckShield put the figure as high as $1.7 million. Blockchain intelligence firm Arkham shows Taiko exploiter wallets holding around $1.5 million, primarily in Ether (ETH), and PeckShield stated the exploiter has already transferred 1.99 million Taiko (TAIKO) tokens worth around $189,000 to MEXC. TAIKO is trading down 98% from its 2024 peak at $0.084, according to CoinGecko. Taiko is an Ethereum layer-2 network that uses zero-knowledge rollups and was co-founded by former Loopring CEO Daniel Wang; the network launched its mainnet in May 2024.

The breach is the latest in a series of crypto protocol exploits in June, which now number at least 23 according to DeFiLlama. The largest two this month have been Humanity Protocol, which lost over $30 million, and Syscoin Bridge, which lost over $8 million. Other notable June incidents include Aztec Connect, RetoSwap, Raydium AMM, and a Secret Network bridge exploit disclosed Friday that resulted in $4.67 million in losses following an "infinite mint" bug. On Saturday, around $1.1 million was drained from the OLPC/LABUBU liquidity pool on PancakeSwap, with LABUBU being a memecoin inspired by the popular toys of the same name. Looking further back, attackers stole $292 million from KelpDAO's cross-chain bridge in April in an attack later linked to North Korea's Lazarus Group, and in May, Echo Protocol disclosed a breach involving the unauthorized minting of $77 million worth of eBTC on Monad, though the project estimated realized losses at about $816,000. Solana-based exchange Raydium also lost $1.34 million earlier this month after attackers exploited deprecated liquidity pools, and DeFi protocols lost more than $840 million in the first five months of the year.