By cryptoadmin Taiko, an Ethereum Layer 2 network that processes transactions off the main chain and settles them back to it, halted block production and told users to pull their funds after an attacker exploited its bridge earlier Monday.
The team estimated losses at about $1.7 million before it stopped the outflows.
The attacker forged the proofs a bridge uses to confirm that a withdrawal matches a real deposit. Fake withdrawal requests were accepted on Ethereum without any matching transaction on Taiko's own chain, which let the attacker register fraudulent withdrawals and drain funds from the bridge and its token vault, Taiko said.
Bridges are a blockchain-based tool that moves assets between Taiko and Ethereum.
How the attacker forged valid-looking proofs points to a leaked key.
Security firm BlockSec said its initial investigation traces the likely cause to a signing key for Raiko, the system Taiko uses to produce the proofs that convince Ethereum its transactions are genuine, being left publicly accessible on GitHub.
That key is meant to stay sealed inside secure hardware so the proofs can be trusted. With it exposed, the attacker could enroll their own provers as legitimate and sign fraudulent proofs that Taiko's verifier accepted, then fake a bridge withdrawal that released real assets on Ethereum.
.@taikoxyz was reportedly attacked, with losses exceeding $1.7M. Our initial investigation suggests the likely root cause was an exposed Raiko SGX enclave signing key on GitHub. Raiko is Taiko’s multi-prover stack for Taiko and Ethereum blocks, so an exposed Raiko SGX enclave key… https://t.co/8BIiEeNtYJ pic.twitter.com/eAq9Xjngz8
— BlockSec Phalcon (@Phalcon_xyz) June 22, 2026
Taiko urged all users to withdraw from every bridge on the network, asked centralized exchanges to suspend deposits of its TAIKO token, and had its block producers stop making new blocks during the investigation.
By about 2 a.m. ET it said the exploit was contained and withdrawals through the main bridge and token vault were fully stopped. The exploiter had already moved about 2 million TAIKO, worth roughly $170,000, to an account on the MEXC exchange.
The dollar loss is small, but the flaw came from the same DeFi mechanism that have caused hundreds of millions worth of losses this year.
Forged cross-chain messages drained $292 million from Kelp DAO's bridge in April and $11.4 million from the Verus-Ethereum bridge in May, the same failure where one chain is tricked into trusting a fake instruction from another. Bridges have produced more than $340 million in losses across at least 14 exploits in 2026, making it the costliest target in crypto. Taiko's damage stayed contained mainly because the team caught and froze it within hours.