Echo Protocol eBTC Admin Key Attack Investigation Report

Date: May 27, 2026

Event: Echo Protocol eBTC Admin Key Attack

Attack Time: May 18, 2026 ~17:55 ET

Investigator: Onchain Shadow

---

Executive Summary

BTCFi protocol Echo Protocol's eBTC deployment on Monad suffered an admin key attack. The attacker obtained DEFAULT_ADMIN_ROLE, self-granted MINTER_ROLE, minted 1,000 units of unbacked eBTC (face value $76.7M), and cashed out approximately $816K in real assets through Curvance lending protocol before laundering through Tornado Cash. Due to insufficient liquidity in Monad DeFi ecosystem, 955 eBTC remained illiquid and were ultimately destroyed by the Echo team.

Key Lesson: A $254M+ TVL protocol with management permissions tied to a single EOA private key—one key is the entire line of defense.

---

Key Metrics

| Metric | Value |

|--------|-------|

| Fake Token Face Value | ~$76.7M (1,000 eBTC) |

| Actual Cash-Out Amount | ~$816K (384 ETH → Tornado Cash) |

| Face Value to Actual Ratio | 94:1 (due to liquidity insufficiency) |

| Destroyed Fake Tokens | 955 eBTC |

| Echo Aptos TVL | ~$254M |

| ECHO Token Decline | -11% (after news broke) |

---

Attack Flow Breakdown

Step 1: Obtain Admin Privileges

Attacker obtained control of eBTC contract's DEFAULT_ADMIN_ROLE. This permission was tied to a single EOA address (regular wallet, single private key) with no multisig protection, no timelock, and no rate limiting.

Step 2: Self-Grant Minter Role

grantRole(MINTER_ROLE, attacker_wallet)

Used admin privileges to grant themselves the minter role.

Step 3: Mint Fake eBTC

mint(attacker_wallet, 1000e8)

1,000 eBTC凭空出现。Face value $76.7M, real BTC backing: 0.

Step 4: Cover Tracks

Attacker revoked their own admin privileges, making on-chain traces less obvious. This was premeditated—the attacker knew investigators would first scan role authorization records.

Step 5: Cash Out via Curvance

• Deposited 45 fake eBTC (face value $3.45M) into Curvance as collateral
• Curvance had zero verification to distinguish real from fake eBTC—from the contract's perspective, eBTC is just eBTC
• Borrowed 11.29 WBTC (~$867,700)

Step 6: Cross-Chain Laundering

• Bridged WBTC to Ethereum mainnet
• Swapped to ETH
• Approximately 384 ETH ($821,700) deposited to Tornado Cash

Step 7: Remaining Fake Tokens Stranded

955 eBTC remained in attacker's Monad wallet, unable to cash out further due to liquidity exhaustion. Echo team subsequently destroyed these tokens.

---

Dual Failure Analysis

Failure 1: Echo Protocol — Single Private Key Managing $254M+ Protocol

• DEFAULT_ADMIN_ROLE tied to an EOA
• No multisig, no timelock, no minting cap, no rate limit
• Entire Monad deployment security equivalent to single private key security

Failure 2: Curvance — No Collateral Source Verification

• Accepted newly minted eBTC as collateral without verifying BTC backing
• Lending protocols should implement post-mint cooldown periods or whitelist mechanisms
• Isolated market design limited contagion but did not prevent single-asset exploitation

---

2026 DeFi Security Trends

| Trend | Percentage | Description |

|-------|------------|-------------|

| Admin key/private key theft | 70%+ | Primary attack vector in 2026 |

| LayerZero bridge exploits | 18% | Cross-chain infrastructure risk |

| Fake/deception tokens | 14% | Like the fake eBTC in this case |

| Smart contract vulnerabilities | <10% | Traditional attack vectors declining |

Major May 2026 Events

| Date | Project | Loss | Cause |

|------|---------|------|-------|

| 5/24 | StablR | $2.8M | 1-of-3 multisig key compromised |

| 5/22 | Polymarket | $600K+ | Exploitation |

| 5/22 | Verus Bridge | $8.5M (returned) | Malicious nodes + GG20 exploit |

| 5/21 | Map Protocol | 96% crash | 10 trillion tokens minted |

| 5/19 | Echo Protocol | $816K | Admin key compromised |

| 5/15 | THORChain | $10M | Malicious nodes |

| April | Drift | $285M | CCTP exploit |

| April | KelpDAO | $292M | Protocol attack |

---

Defense Recommendations

For Protocols

Multisig Management: Minimum 2-of-3, recommended 3-of-5 + hardware wallets

Timelock: Ownership changes require 24-48 hour delay

Minting Cap: Single/daily minting limits

Rate Limiting: Large mints trigger alerts and delays

Role Separation: Admin/minter/pauser use different controllers

For Lending Protocols

Collateral Source Verification: Newly minted tokens require cooldown before serving as collateral

Minting Monitoring: Real-time monitoring of abnormal token supply growth

Isolated Markets: Curvance's isolated market design limited contagion—well done

---

Pending Deep Investigation Areas

Admin Key Compromise Method: Phishing/insider/supply chain/malware?

Attacker On-Chain Footprint: Fund destinations after Tornado Cash deposit

Curvance Bad Debt Handling: How are bad debts from 45 fake eBTC handled?

Cross-Chain Bridge Security: WBTC bridging path from Monad to Ethereum

Echo Aptos Deployment Comparison: Is aBTC management permissions equally vulnerable?

---

Data Sources

• BeInCrypto - Echo Protocol Hack Autopsy
• PIGlobalInvestments - Echo Protocol Hack on Monad
• Cointelegraph - Echo Protocol eBTC exploited
• BingX - ECHO token slides
• The Arabian Post - Echo breach exposes Bitcoin DeFi risks
• @dcfgod X post (initial exploit alert)
• @keoneHD (Monad co-founder) confirmation

---

Investigator: Onchain Shadow

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.