The decentralized finance (DeFi) sector has been hit by another devastating security breach. On Tuesday, May 19, 2026, blockchain security firm PeckShield confirmed that Echo Protocol, a prominent liquidity and yield platform for Bitcoin holders, suffered an exploit resulting in the unauthorized creation of roughly 1,000 synthetic eBTC, valued at $76 million.
The breach marks the latest high-profile vulnerability in a turbulent weeks-long stretch for DeFi infrastructure, closely following nine-figure exploits on Drift Protocol and KelpDAO.
#PeckShieldAlert @dcfgod reports that @EchoProtocol_ was hacked on @monad
The hacker minted 1k $eBTC ($76.7M) &, utilizing the tested flow, deposited 45 $eBTC ($3.45M) into Curvance. They then borrowed ~11.29 $WBTC ($867.7K) against it, bridged the $WBTC to #Ethereum, swapped… https://t.co/DjgI0v85Rw pic.twitter.com/wNnA77UDuI
— PeckShieldAlert (@PeckShieldAlert) May 18, 2026
Mechanics of the Minting Attack
The exploit took place on Echo Protocol’s recently deployed infrastructure on the Monad blockchain. The attacker managed to compromise a sensitive administrative cryptographic key, granting them high-level permissions to manipulate core smart contracts.
With this administrative access, the hacker bypassed standard collateral requirements to mint 1,000 unbacked eBTC directly onto Monad. To extract liquid value before the protocol could react, the attacker deposited a portion of the fraudulent tokens into the money market and reward layers at Curvance. Using the unbacked eBTC as spoofed collateral, they successfully borrowed Wrapped Bitcoin (WBTC) worth $3.45 million and swiftly routed the stolen funds through the privacy-focused mixer Tornado Cash to obscure the cash-out trail.
Emergency Burns and Cross-Chain Halts
Echo Protocol’s core developers moved quickly to mitigate the systemic fallout once the anomalous minting event was flagged. The team successfully re-secured the compromised admin keys and executed an emergency contract override to burn the remaining 955 eBTC still residing in the attacker’s wallet, effectively neutralizing the bulk of the unbacked synthetic supply.
“We have paused cross-chain functionality for the Monad deployment and completed an upgrade of the relevant Monad contract to restrict affected operations and strengthen control over sensitive functions,” Echo Protocol stated via X.
While Echo Protocol’s foundational deployment operates out of the Aptos network, the team has paused all Aptos bridge operations as a precautionary measure while external auditors conduct a full forensic investigation into how the administrative credentials were leaked.
