An attacker minted 1,000 unbacked eBTC tokens worth approximately $76.7 million on Monad. The Echo Protocol hack resulted from a compromised admin private key,
Author: Sahil Thakur
19th May 2026 – An attacker minted 1,000 unbacked eBTC tokens worth approximately $76.7 million on Monad. The Echo Protocol hack resulted from a compromised admin private key, not a smart contract bug.
High Signal Summary For A Quick Glance
yyy
@y_cryptoanalyst
巨大的草台班子。 Echo Protocol 的eBTC 合约管理员私钥被盗,黑客授权自己无限铸币权限,在 @monad 链上铸造了1000枚eBTC。 你没看错。这么重要的权限,@EchoProtocol_ 团队既没用多签也没设置时间锁。 更耐人寻味的是,Monad 链上原生的龙头借贷协议 @Curvance 支持eBTC https://t.co/8InQZd9Hzf
12:59 AM·May 19, 2026
Marioo
@MarioY00
Echo Protocol (@EchoProtocol_) exploited on @monad NOT a smart contract bug — admin private key compromise. Attacker minted 1,000 eBTC out of thin air → used as Curvance collateral → borrowed WBTC → bridged out. Full attack chain w/ tx hashes ↓ 1/ The key handover
11:19 PM·May 18, 2026
DCF GOD
@dcfgod
gm @EchoProtocol_ may be hacked on @monad Someone minted 1k ebtc out of nowhere, max borrowed wbtc against it on @Curvance, bridged, and tornado away
09:55 PM·May 18, 2026
High attention and emotional sentiment detected.
On-chain analysts traced the attack to a compromised externally owned account (EOA). This account held admin privileges over Echo Protocol’s eBTC token contract. As a result, the attacker granted themselves DEFAULT_ADMIN_ROLE, revoked the legitimate admin, and self-assigned MINTER_ROLE.
According to PeckShieldAlert, the attacker then deposited 45 eBTC (~$3.45M) into Curvance’s lending market. They borrowed ~11.29 WBTC (~$867K) against it. After that, they bridged the WBTC to Ethereum, swapped it for ~384 ETH, and sent the ETH into Tornado Cash.
The attack began roughly one hour before the mint. During that window, the attacker gained control of Echo Protocol’s admin EOA. The compromised address was 0xA338eC2d52B19f4A48A00FCd76A36366B3529A3B.
Independent on-chain analyst MarioY00 documented the full sequence of role-grant and revoke transactions. Once the attacker held both admin and minter roles, they called the mint function on the eBTC contract.
The mint transaction created 1,000 eBTC from address(0) with no backing. The eBTC contract address is 0xd691b0aFed67F96CEC28Ab6308Cbe5b2C103b7e9 on Monad. In total, the entire chain of events completed within hours on May 18, 2026.
Key milestones related to the Echo Protocol eBTC incident
The attacker allegedly gained control of Echo Protocol’s admin EOA 0xA338eC2d52B19f4A48A00FCd76A36366B3529A3B, granted themselves DEFAULT_ADMIN_ROLE, revoked the legitimate admin, and self-assigned MINTER_ROLE. Exact tx hashes for the role-grant/revoke sequence were referenced in MarioY00’s thread but were not included in the supplied source text.
The compromised admin path was used to mint 1,000 eBTC, valued at roughly $76.7 million, from the eBTC token contract on Monad: 0xd691b0aFed67F96CEC28Ab6308Cbe5b2C103b7e9. Tx hash: 0x2cc9730738c970b2c2ec1e1a27f38d69590db36fe069fb4ee04abaeb559357c0.
The attacker deposited 45 eBTC, worth approximately $3.45 million, as collateral into Curvance’s eBTC-WBTC lending market on Monad. The exact deposit tx hash was linked in the MarioY00 and PeckShieldAlert analyses but was not included in the supplied source text.
Using the freshly minted eBTC collateral, the attacker borrowed approximately 11.29–11.3 WBTC, worth around $867K–$870K. The exact borrow tx hash was referenced in the on-chain analysis threads but was not included in the supplied source text.
The attacker approved and bridged the borrowed WBTC to Ethereum. The bridge approval and outbound bridge transaction were cited in MarioY00’s thread, but the exact tx hashes and bridge contract details were not included in the supplied source text.
After arriving on Ethereum, the attacker swapped the bridged WBTC into approximately 384–385 ETH. The exact swap tx hash was not included in the supplied source text.
The attacker deposited roughly 384 ETH, worth about $821.7K, into Tornado Cash. PeckShieldAlert and MarioY00 both confirmed the Tornado Cash deposit, but the exact Ethereum tx hash was not included in the supplied source text.
The incident was first flagged publicly by @dcfgod, who noted that someone had minted 1,000 eBTC, borrowed WBTC against it on Curvance, bridged the funds, and sent them to Tornado Cash. Original reporting tweet: https://x.com/dcfgod/status/2056493905680720238.
PeckShieldAlert and independent analyst MarioY00 published detailed summaries describing the incident as an admin private-key compromise, not a smart-contract bug. PeckShieldAlert post: https://x.com/PeckShieldAlert/status/2056519415211192670. MarioY00 thread: https://x.com/MarioY00/status/2056514989108732272.
Curvance confirmed that it paused the affected eBTC-WBTC market, stating that the issue was isolated to that collateral market and did not affect Curvance core contracts. Official response: https://x.com/Curvance/status/2056501191492747561.
As of May 19, 2026, no official Echo Protocol statement was identified in the supplied material. Monad co-founder Keone Hon was reported in secondary coverage as confirming that the team was aware of the incident. The Monad network itself was reported as unaffected.
The attacker reportedly still holds the remaining 955 eBTC. Unknowns include whether Echo can freeze, blacklist, or otherwise neutralize the unbacked supply, how the admin key was compromised, and whether Curvance LPs face final realized bad debt.
Multiple analysts confirmed that this exploit did not involve a smart contract vulnerability. Instead, the eBTC contract functioned exactly as designed for an admin-controlled mintable token. The root cause was purely an operational security failure.
“NOT a smart contract bug. Admin private key compromise,” MarioY00 wrote. “Single-EOA admin on a mintable asset used as collateral = unacceptable in 2026.”
Specifically, the eBTC contract lacked basic safeguards now considered standard. There was no multisig requirement and no timelock on admin actions. Similarly, there was no rate limit or cap on minting. Because of this, any address holding DEFAULT_ADMIN_ROLE could mint unlimited tokens instantly.
Source: Lookonchain
Curvance confirmed it paused its eBTC-WBTC lending market shortly after the exploit surfaced. The protocol stressed that the issue was isolated to the eBTC collateral market. Its core contracts and other markets remained unaffected.
Curvance’s lending market accepted the freshly minted eBTC as collateral without supply-cap checks. As a result, the attacker borrowed real WBTC against tokens with zero legitimate backing. The eBTC-WBTC market now carries isolated bad debt.
Meanwhile, the Monad network itself operated normally throughout the incident. Monad co-founder Keone Hon confirmed the team is aware of the situation on X.
One key detail stands out in the Echo Protocol hack. The attacker created $76.7M in unbacked eBTC but only converted ~$867K into real assets. That is roughly 1.1% of the total minted value.
The remaining 955 eBTC still sits in the attacker’s wallet. These tokens could potentially be blacklisted or rendered worthless if Echo Protocol upgrades the contract. Because of this, the actual financial damage may be far lower than the headline figure.
Before the incident, Echo Protocol’s aggregate TVL stood at roughly $308M across chains, according to DefiLlama. No updated TVL charts are available for the incident window yet.
As of May 19, 2026, Echo Protocol has not released any official statement. The project powers BTCFi infrastructure across Aptos and Monad. Still, it has not confirmed whether it paused or upgraded the compromised eBTC contract.
The attacker’s identity remains unknown. Investigators have not yet determined how the private key was compromised. Phishing, malware, and insider access all remain possibilities. Additionally, no public security audits of the eBTC contract on Monad appear in current coverage.
The Echo Protocol hack highlights a recurring problem with DeFi composability. A single point of failure in one protocol can cascade into another. In this case, unbacked tokens flowed seamlessly into Curvance as collateral. Consequently, the attacker borrowed legitimate assets against fabricated value.
The crypto community on X reacted with frustration at the “single EOA admin in 2026” failure. In response, analysts emphasized the need for multisig wallets, timelocked admin functions, and mint caps. Several pointed out that tools to prevent this exact attack have existed for years.
Historically, the incident mirrors past admin key compromises in DeFi. For example, the Ronin Bridge exploit ($625M, 2022) and Harmony Horizon Bridge ($100M, 2022) both traced back to private key management failures.
The immediate question is whether Echo Protocol can freeze or blacklist the 955 eBTC still held by the attacker. If the contract supports admin upgrades, the team could neutralize the remaining unbacked supply.
Curvance also faces its own recovery process around the bad debt. The protocol’s swift pause limited further damage. However, LPs in the affected market may still bear losses.
For the broader DeFi ecosystem, this incident serves as another warning. Protocols that manage mintable assets need multisig admin controls, timelocked governance, and supply caps. A single compromised key should never mint unlimited tokens in 2026.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Echo Protocol Hack: $76.7M in eBTC Minted on Monad
ZachXBT Offers $10K Bounty on HSBG Over Alleged CEX Manipulation
ZachXBT Criticizes Phantom For Address Poisoning
Trove Markets Alleged Mastermind Doxxed in $11.5M ICO Scam
Echo Protocol Hack: $76.7M in eBTC Minted on Monad
ZachXBT Offers $10K Bounty on HSBG Over Alleged CEX Manipulation
ZachXBT Criticizes Phantom For Address Poisoning
Trove Markets Alleged Mastermind Doxxed in $11.5M ICO Scam
