According to public blockchain records, around May 18, 2026, an unexpected security incident occurred with the Echo Protocol deployed on the Monad ecosystem: an attacker minted approximately 1000 eBTC through an abnormal path, with a nominal value of about 76.7 million USD, far exceeding normal user behavior boundaries. After completing the abnormal minting, the attacker quickly deposited about 45 eBTC into the lending protocol Curvance as collateral to borrow approximately 11.29–11.3 WBTC (nominal value about 867,000–868,000 USD), and then some WBTC was cross-chain transferred to Ethereum, where it was exchanged and flowed into Tornado Cash, rapidly obscuring the funds' trajectory. According to several blockchain security teams and Chinese crypto media disclosed around May 19, this was not a simple contract vulnerability: eBTC, as a BTC-mapped asset issued by the Echo Protocol, has concentrated minting and management rights, viewed as having a single point of permission risk. Some security researchers even suspect this attack may be related to the abuse of contract management permissions, although this underlying cause has not yet received official confirmation. For Monad, which is still in its early building stage, some media described this incident as its first widely discussed major security storm, and the more critical issue lies in that it laid bare the trust model and permission design of early DeFi on Monad, becoming an unavoidable concentrated interrogation for all participants.

The Moment When 1000 eBTC Appeared Out of Thin Air

According to AiCoin data, before taking formal action, this attacker was not the first to operate along this path. Days or even earlier, there had been small-scale minting and lending attempts of eBTC along the same route: minting a bit of eBTC, depositing it into the same type of lending protocol, borrowing a small amount of BTC assets, and then quietly exiting. The amounts were small enough to be drowned out by daily noise, yet they successfully demonstrated the closed loop from minting to lending, rehearsing all key steps for the later large-scale operation, leaving only a few seemingly inconspicuous historical transactions.

The real anomaly appeared around May 18. The attacker suddenly minted about 1000 eBTC in one go along the same path, a scale far beyond normal user behavior boundaries. After completing the "out of thin air" minting, about 45 eBTC were rapidly sent to Curvance, as collateral to borrow approximately 11.29–11.3 WBTC, with a nominal value close to 870,000 USD. Subsequently, some WBTC was cross-chain transferred to Ethereum, where it was exchanged multiple times into other assets, ultimately reaching Tornado Cash, making the trail of funds swiftly obscure in the mixing pool. Public information has yet to reveal how much eBTC the attacker still holds and the corresponding nominal value, and among which addresses this residual stake might be lurking has become the most challenging variable to quantify in the subsequent risk assessment of the incident.

45 eBTC Collateral Leveraging WBTC

After completing the abnormal minting on Echo, the attacker did not directly sell eBTC, but chose to inject about 45 of them into Curvance. Blockchain records show that this batch of eBTC flowed into Curvance within a short time from the same source address, being locked as collateralizable assets. Since Curvance had already listed eBTC as a collateralizable asset at the time of the incident, the system did not set up additional gates or throttles for this concentrated, single-source large incoming deposit, allowing the lending logic to execute smoothly, enabling the attacker to successfully borrow approximately 11.29–11.3 WBTC from Curvance based on this collateral, corresponding to a nominal value of about 867,000–868,000 USD. Thus, a cross-protocol path was established from the abnormal minting of eBTC on Echo to normal lending on Curvance, amplifying the risk originally limited to a single asset contract into a value transfer at the mainstream asset level.

Looking back from the results, this process exposes a clear gap in the borrowing protocols regarding the launch of new assets and large collateral review. Curvance’s risk control assumptions for eBTC evidently linger more on the label level of "it is a BTC-mapped asset," without mechanism-level distinctions between "normally minted eBTC" and "abnormally concentrated new positions in a short time." The blockchain also did not impose higher scrutiny thresholds on collateral behaviors that were single-sourced and had anomalously increased in scale. Furthermore, as eBTC is managed centrally by Echo, and exists with single-point permission risks, once aberrations occur in the upstream contracts, the downstream lending protocols become a part of the "default footing," demonstrating clearly that in an early ecosystem, if asset whitelists, collateral limits, and source behavior monitoring are lacking, any single-point error may quickly be amplified by cross-protocol leverage into systemic loss risks.

The Trust Cracks of eBTC Under the Shadow of Single-point Permission

Echo previously chose a highly centralized way to issue eBTC—where the minting rights and key management permissions of this type of BTC-mapped asset are held by a very small number of control parties, meaning the entire system's security and credit are almost "tied" to a single management chain. Once this chain deviates, even with just one anomalous call, what the outside world sees is no longer a cold contract but a black box that may be capable of generating new assets with the press of a button. Some security researchers speculate that the abnormal minting of approximately 1000 eBTC is likely related to the compromise or abuse of contract admin permissions, but this claim has not yet been officially confirmed, and the technical underlying cause remains to be verified.

What truly tears apart the trust is that these 1000 newly minted eBTC do not correspond to any new collateral assets disclosed externally, which the community thus views as "unsecured minting." For users holding eBTC and various protocols that included eBTC in their collateral lists, the risk perception was reset at this moment: the token, originally assumed to have "complete asset support," suddenly revealed a higher-level uncertainty—there exists a concentrated permission that could be triggered at any time behind the asset, and in extreme scenarios, this permission could bypass public collateral constraints and directly rewrite supply. Before an official transparent review is provided, even if the on-chain price ultimately restores, the core question surrounding eBTC has become a simpler yet sharper inquiry: to what extent can this single-point permission chain be trusted?

Monad's Early Ecosystem Forced to Undergo a Security Baptism

Looking back at the overall timeline of the Monad public chain, the abnormal minting incident occurring on the Echo Protocol appears more like a forced security baptism that arrived when "the foundation had not yet been fully compacted." The Monad ecosystem is still in its early stages, with relatively limited DeFi protocols and on-chain assets; however, it has rapidly shown a cross-protocol attack pathway leveraging eBTC and Curvance, with multiple blockchain security teams and Chinese media disclosing this incident around May 19, bringing it quickly to the center of discussions in the Monad ecosystem. A single source described it as Monad's "first widely reported major security incident," but this description currently lacks further independent verification and can only be viewed as an unverified public assertion rather than an already finalized official conclusion.

Also in a "pending confirmation" status is the role Monad itself played in this incident. Some public information shows that there are opinions stating Monad officials emphasize that the network layer is operating normally and that the main applications affected are Echo and Curvance deployed on it. This stance still requires more solid evidence to support it. However, regardless of the ultimate investigation results, the boundary drawn between "network layer security" and "application layer security" has been vividly outlined by this incident involving the abnormal minting of 1000 eBTC and lending out about 11.29–11.3 WBTC: for the still under-construction Monad ecosystem, "the chain itself has no issues" does not equate to the overall ecosystem being easily considered as secure.

What Signals to Monitor On-chain After the Attack

The next most intuitive points of observation will be: what steps Echo and Curvance will take on the contract and permission levels: currently, eBTC minting and management permissions are relatively centralized, but up to now, there are no publicly detailed disposal plans and technical reviews that have been confirmed by multiple parties; whether there will be a tightening of minting permissions, adjustments to the management account structure, and whether Curvance will simultaneously upgrade the collateral listing review and risk control logic will all be directly reflected in the changes to on-chain parameters and contract versions; another clue is whether the attacker's address will continue to move the "unwashed" assets—some WBTC borrowed from Curvance has already been cross-chain transferred to Ethereum and flowed into Tornado Cash, and such mixing services have traditionally significantly increased the difficulty of tracking and reclamation in past cases, so any new cross-chain bridge interactions, exchange paths, or attempts to liquidate on Monad will become the targets that security teams and users need to closely monitor. Currently, multiple security teams have already marked and are continually tracking related addresses, providing a foundation for various risk control lists and interface prompts; a longer-term variable is whether the Monad ecosystem will treat this incident as a "starting case" and introduce clearer norms and tools for permission management, asset listing reviews, and cross-protocol risk control. If these institutional upgrades are delayed, the story of this eBTC abnormal minting and the utilization of Curvance will likely not be seen by the market as a "remedied accident" but rather may become an unavoidable reference point when assessing systemic risk in the Monad DeFi ecosystem.

Join our community, let's discuss, and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin On-chain: https://aicoin.com/hyperliquid
AiCoin Exclusive Hyperliquid Benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin Exclusive Aster Benefits: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。