Echo Protocol Hacked! Attackers Mint 1,000 eBTC. Yu Xian: Yet another stupid Admin's single-point private key compromised.

The Monad on-chain DeFi protocol Echo Protocol suffered a major hacking attack. The attackers allegedly used the Admin private key to directly mint 1,000 eBTC (approximately $76.7 million) and, through multiple layers of cross-chain operations, ultimately sent approximately 384 ETH (approximately $820,000) into the mixer Tornado Cash.

Attack steps broken down: minting, staking, cross-chain, money laundering

PeckShieldAlert's on-chain monitoring revealed that after obtaining the Admin private key, the attacker directly triggered the minting function, creating 1,000 eBTC (Echo Protocol's BTC-pegged token, with a total value of approximately $76.7 million) out of thin air. The attacker then executed a pre-tested fund transfer process:

• Deposit 45 eBTC (approximately $3.45 million) into the DeFi lending protocol Curvance as collateral.
• This resulted in the loan of approximately 11.29 WBTC (approximately US$868,000).
• Bridge WBTC across chains to the Ethereum mainnet
• Exchange WBTC for ETH on Ethereum
• Ultimately, 384 ETH (approximately $820,000) were sent to the Tornado Cash mixer.

The attack process was clear and interconnected, with the details of the "pre-tested process" being particularly glaring, indicating that the attackers had fully rehearsed the entire escape route for the funds before actually launching the attack.

Yu Xian: Admin single-point private key compromise, not a contract vulnerability

SlowMist founder Yu Xian pointed out earlier on X that the root cause of the Echo Protocol hack was suspected to be the compromise of the Admin single sign private key , rather than a vulnerability in the smart contract itself.

This assessment directly addresses the long-standing centralized security blind spot in DeFi protocols: if the minting permission is centrally controlled by a single private key, once that private key is leaked or stolen, the attacker effectively gains unlimited minting rights, rendering the entire staking mechanism ineffective.

Such "Admin Key attacks" are common in the DeFi ecosystem, but some development teams often delay in incorporating multisig or time-locking mechanisms, citing "ease of operation and management" as the reason.

As of press time, Echo Protocol has not issued an official statement, and the current status of the protocol and compensation plans for affected users are unknown.

Related reports

Wintermute suffered a hack that resulted in the loss of $160 million. How was the private key of the well-known market maker leaked?

Bybit criticizes: The hack was caused by a vulnerability in the Safe Wallet. Safe admits that the developer's device was compromised and will compensate for the losses.

A first in DeFi! The US Treasury Department has added Tornado.Cash to its sanctions list, and addresses associated with the site will be blacklisted and frozen.