At 21:21 UTC on Monday, May 18, 2026, someone minted 1,000 eBTC on Monad. At Bitcoin’s spot of roughly $77,000, that’s about $77M of unbacked wrapped Bitcoin appearing from nothing on Echo Protocol’s Monad books. The attacker converted ~$870K of it into real WBTC by depositing a slice as collateral on Curvance and borrowing against it. The other 99% of the fake supply is parked on the attacker’s wallet, because Monad’s lending and DEX depth can’t absorb more.
This piece was written in the first hour after the drain. The initial public flag came from @dcfgod on X, who linked the suspicious mint transaction and tagged the affected teams; Monad co-founder @keoneHD acknowledged the incident shortly after and said the team and external security researchers were investigating. Echo Protocol and Curvance have not yet published statements at the time of writing. Final numbers on bad debt, attacker holdings, and any recovery plan will shift as post-mortems land. Treat the figures below as the best on-chain reads available as of the evening of May 18, 2026.
The dollar amount is small. The architectural shape makes this worth writing about. The same privileged-role failure mode that produced the Resolv USR exploit in March and the KelpDAO rsETH exploit in April just produced another one, on a new chain, against a new asset class. The realized loss is roughly 30× smaller than Resolv and over 250× smaller than KelpDAO. The pattern is the same.
What Echo, Curvance, and Monad Are
Echo Protocol is a Bitcoin liquidity and yield project most visible to date on Move-based ecosystems. The Monad deployment is newer and smaller, and eBTC is its wrapped Bitcoin token there. The product shape is the familiar one: deposit BTC, hold a transferable representation that can move into lending, DEXs, and yield strategies the way WBTC does on Ethereum. The identification of this exploited contract with the Echo Protocol team specifically is currently community attribution; the project itself has not yet publicly confirmed the affected deployment as of writing.
Curvance is an omnichain lending protocol that lists collateral assets and lets users borrow against them, similar in shape to Aave or Morpho. On Monad it had a fresh eBTC/WBTC market running, with eBTC accepted as collateral against real WBTC borrows. The protocol’s lending logic was not the failure point here; it treated the collateral it received as exactly what the token contract said it was, and the token contract was the problem.
Monad is a young high-performance EVM L1 that opened to a wider set of deployments earlier this year. Echo, Curvance, and most of the assets sitting on Monad lending markets right now are fresh deployments, often without the operational layers (multisig admin keys, timelocks, monitoring, paranoid role separation) that the equivalent contracts on Ethereum have accumulated over years of incidents.
The Attack: Role Takeover, Then Mint
On the eBTC token contract at 0xd691b0aFed67F96CEC28Ab6308Cbe5b2C103b7e9, the attacker ran a short sequence of role-manipulation transactions: granted themselves DEFAULT_ADMIN_ROLE, used that admin role to self-grant MINTER_ROLE, and then revoked the admin role to clean up. With minter authority in hand, the actual mint was a one-line follow-up: mint() to the attacker’s address (0x6a0109d3c5ab56277096c75e8f5d1d1d45243415), 1,000 eBTC issued directly from the zero address. The mint transaction (Monad block 75,477,995) sits at:
0x2cc9730738c970b2c2ec1e1a27f38d69590db36fe069fb4ee04abaeb559357c0
How the attacker got that initial DEFAULT_ADMIN_ROLE grant is the part nobody outside the Echo team can answer yet. The plausible options are the standard ones: a compromised admin private key, a misconfigured initial deployment that left the role grantable, or a contract-level access control bug that let an unprivileged caller escalate.
The Cashout: Deposit, Borrow, Bridge
The attacker did not try to dump 1,000 eBTC into a DEX. Monad’s eBTC liquidity is thin, and the slippage would have eaten most of the extraction. They used the lending path instead, the same playbook Resolv’s attacker used to convert fake USR into ETH and KelpDAO’s attacker used to convert fake rsETH into WETH.
According to on-chain accounting reconstructed from the attacker wallet’s history, the cashout sequence was:
- Deposit roughly 45 eBTC into Curvance’s eBTC market as collateral. The attacker received Curvance’s wrapped collateral receipt (ceBTC) in return.
- Borrow against that collateral across multiple transactions, pulling out approximately 11.296 WBTC in total. The reason the borrow stopped there is some combination of Curvance’s available WBTC supply, the LTV ceiling on the eBTC market, and any borrow caps set on the asset; which of those was the binding constraint isn’t yet confirmed.
- Bridge the borrowed WBTC off Monad. Community researchers tracking the wallet flagged LayerZero as the likely route; the exit transaction itself has not been independently confirmed at the time of writing.
- Route the proceeds toward a mixer. Tornado-style obfuscation has been mentioned by multiple analysts on X, again as the most likely path rather than a confirmed on-chain fact.
The attacker still holds the bulk of the minted supply: roughly 955 eBTC sitting idle in the wallet, plus a small ceBTC position on Curvance. The residual sits there because Monad simply doesn’t have anywhere for it to go — no lender on the chain has the depth to absorb another borrow at that size, and DEX liquidity on eBTC would collapse against any meaningful dump.
The Curvance market is the immediate casualty. The lender is sitting on collateral whose redemption is in dispute against an outstanding WBTC borrow of 11.296 tokens, roughly $870K at current spot. Whether that hole gets backfilled by Echo, by Curvance’s treasury, or absorbed by suppliers depends on a recovery plan that hasn’t been published yet.
The Blast Radius
This incident is small and localized, and that’s worth saying clearly.
The damage is contained to Curvance’s eBTC/WBTC market on Monad. Curvance’s lending logic was not exploited; the protocol behaved correctly given inputs it had no way to verify. Other Curvance markets, on Monad and on the chains Curvance is deployed across, are not affected. Aave, Morpho, Spark, Fluid, and the rest of the major lending markets on Ethereum and the L2s have no Echo eBTC exposure.
Inside Monad, the secondary risk is anything else that listed Echo’s eBTC as collateral or held it in a vault. That list is short today because the asset is young, but it’s worth watching. Any DEX pool with eBTC liquidity is sitting next to a wallet that owns 955 of the things and has demonstrated willingness to dump them, so DEX LPs face slow-bleed risk if the attacker decides extraction-via-DEX is worth the slippage hit.
Untouched: real Bitcoin, real WBTC on every other chain, every other Bitcoin wrapper, and every other lending market that didn’t list eBTC. The failure here is asset-specific and chain-specific.
The Uncomfortable Questions
How did the attacker get the admin role in the first place? This is the question Echo has to answer, and it’s the only one whose answer matters past the immediate cleanup. If a hot admin key leaked, the lesson is operational. If the deployment left the role grantable to addresses it shouldn’t have, the same template needs reviewing on any other chain Echo deployed it on. If there’s an access-control bug in the contract logic itself, the scope expands.
Why did escalating one role break the whole thing? Whatever the entry point, the contract was structured so that a single compromise produced the entire outcome: no timelock between admin role grant and minter role grant, no separate “mint authority” multisig sitting downstream of the admin, no rate limit on freshly-granted minter roles. Multisigs, timelocks, and rate-limited mint authority on wrapped Bitcoin contracts exist precisely so this kind of single compromise can’t immediately produce 1,000 fake BTC. None of those were present here.
Should Curvance have listed eBTC at all, and with what parameters? The realized bad debt is small in absolute terms (~$870K) partly because the LTV on the market appears to have been kept fairly tight (11.3 WBTC borrowed against ~45 eBTC of deposited collateral isn’t aggressive leverage) and partly because the lender’s WBTC supply on the market was modest. The harder question is whether a freshly-deployed wrapped Bitcoin token with mint authority sitting on a single admin role should have been accepted as collateral in the first place, on any LTV, by a lender that had no way to monitor for unauthorized issuance.
Will Monad’s lending markets tighten listing standards? Monad has spent its early months courting builders and shipping tokens fast. That’s the right strategy for getting an L1 ecosystem off the ground; it’s also exactly the condition that produced this incident. Whether the lending markets respond by tightening parameters on freshly-listed assets, or wait for a larger event to do that, is the question worth watching.
The Lesson, Again
Strip away the specifics and this is the same exploit as Resolv and KelpDAO.
Resolv’s USR exploit was a single externally owned address that could pass arbitrary mint amounts into completeSwap(), and ~$25M of real value walked out the door. KelpDAO’s rsETH exploit was a one-of-one DVN on a LayerZero adapter, and ~$236M of real value walked out the door. Echo’s eBTC exploit was a single admin role on a Bitcoin wrapper, and ~$870K of real value walked out the door.
What recurs across all three is the architectural shape: a privileged component on the edge carrying more authority than the surrounding system understood, with a downstream lending layer already composed against the asset as if the privileged component were sound. The lender behaves correctly. The token behaves correctly within its own access-control rules. The composition fails. The trust assumption embedded in the asset turns out to be weaker than the trust assumption the lender was operating on.
The realized losses look very different across the three incidents because the lending markets sitting downstream are very different. Mature lenders on Ethereum have learned to cap their exposure to any single collateral asset, to scrutinize the access controls of anything they list, and to keep blast radius small even when an upstream component breaks. New chains and new asset issuers haven’t built those reflexes yet. Until they do, each new ecosystem gets to learn the same lesson over again at whatever scale its lending markets happen to be running at the moment.
What Happens Next
The Monad team has acknowledged the incident publicly and said security researchers are reviewing the contract and the wallet history. The real outstanding answers fall to two teams. Echo has to explain the chain of custody on the admin role and what the recovery plan looks like for the unauthorized supply. Curvance has to address the listing decision and how the bad debt gets covered.
The attacker’s wallet is being tracked, and any further movement of the residual ~955 eBTC or of the bridged WBTC will be visible quickly. Whether the bad debt gets socialized to Curvance suppliers, absorbed by Curvance’s treasury, or covered by Echo as the upstream point of failure is the call Curvance has to make.
For anyone using newly-launched lending markets on newly-launched chains, the practical takeaway is narrow: before you supply real assets, look at what the borrowable collateral actually is, who can mint it, and whether anything stops them from minting more. If your lender can’t tell you which keys can produce that collateral, neither can you.
