Taiko urges users to withdraw as bridge exploit drains $1.7M

Incident Overview

Taiko’s bridge and ERC20 Vault on Ethereum suffered a compromise in its chain state verification mechanism, allowing forged proofs and unauthorized withdrawals.

Response and Impact

Taiko said it was coordinating partners to contain the incident and had paused affected systems. Crypto security firm Blockaid said that the root cause appears to be a flaw in how the Taiko bridge validated source signals. It said that message proofs were accepted as valid on Ethereum without corresponding legitimate proofs on the Taiko blockchain.

"This allowed the attacker to register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the ERC20 vault," Blockaid said.

Blockaid estimated that at least $1 million had been stolen, while Lookonchain and PeckShield suggested the value of assets stolen could be as high as $1.7 million. The exploiter has already transferred 1.99 million Taiko (TAIKO) tokens worth around $189,000 to MEXC, stated PeckShield.

TAIKO is currently trading down 98% from its 2024 peak at $0.084, according to CoinGecko.

Attacker Holdings

Blockchain intelligence firm Arkham shows Taiko exploiter wallets holding around $1.5 million, primarily in Ether (ETH). The Taiko exploiter account holds more than $1.5 million in ETH.

Recent Exploits

The attack comes just days after the discovery on Friday of a smart contract exploit on the Secret Network, which resulted in the theft of $4.67 million worth of assets. On Saturday, around $1.1 million was drained from the OLPC/LABUBU liquidity pool on PancakeSwap. LABUBU is a memecoin inspired by the popular toys of the same name.

Other notable exploits in June include:

• Aztec Connect
• RetoSwap
• Raydium AMM
• Humanity Protocol (the largest so far this month)