Ethereum-based rollup Taiko has confirmed a compromise of its chain state verification mechanism.
In a statement on the social media platform X, Taiko said that due to the compromise, all bridges deployed on the protocol are no longer considered secure.
"We are actively coordinating with the Security Council and ecosystem partners to contain the incident, pause affected systems where possible, and take all necessary technical and legal actions," Taiko wrote. "We strongly advise all users to withdraw their funds from all bridges deployed on Taiko immediately."
Taiko also requested that centralized exchanges suspend deposits of its native token immediately until further notice from the protocol.
In a follow-up X post, Taiko wrote that all of its proposers have halted the production of new blocks while the team investigates the issue.
At around 2:08 a.m. ET on Monday, Taiko published an update saying that the exploit has been contained, and withdrawals through the L1 Bridge and the ERC20Vault have been fully stopped.
Flaw in proof validation
"What happened: an attacker exploited a flaw in our bridge message-proof verification," Taiko wrote in its latest update. "Forged message proofs were accepted on L1 without a legitimate event on the source chain, which let them register fraudulent withdrawals and pull funds from the bridge and token vault."
Taiko's confirmation of the exploit followed an earlier report from onchain security firm Blockaid, which pointed to a flaw in the Taiko bridge's source-signal proof validation as the likely root cause.
"Crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain," Blockaid wrote. "This allowed the attacker to register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the ERC20 vault."
While Blockaid reported the losses to be around $1 million, follow-up reports from onchain analytics platform PeckShield said the stolen amount totals around $1.7 million, and the exploiter has moved 1.99 million Taiko tokens (worth about $169,702) to an address on the MEXC exchange.
In its latest update, Taiko confirmed that the estimated losses were around $1.7 million before the pause. The team also said it is preparing a full post-mortem of the incident.
Taiko is a based rollup — a type of rollup that relies on Ethereum block validators to sequence transactions. It launched on mainnet in May 2024 after being in development since 2022.
Ethereum Layer 2 Taiko halts block production following exploit; urges users to withdraw funds Ethereum-based rollup Taiko has confirmed a compromise of its chain state verification mechanism. In a statement on the social media platform X, Taiko said that due to the compromise, all bridges deployed on the protocol are no longer considered secure. “We are actively coordinating with the Security Council and ecosystem partners to contain the incident, pause affected systems where possible, and take all necessary technical and legal actions,” Taiko wrote. “We strongly advise all users to withdraw their funds from all bridges deployed on Taiko immediately.” Taiko also requested that centralized exchanges suspend deposits of its native token immediately until further notice from the protocol. In a follow-up X post, Taiko wrote that all of its proposers have halted the production of new blocks while the team investigates the issue. At around 2:08 a.m. ET on Monday, Taiko published an update saying that the exploit has been contained, and withdrawals through the L1 Bridge and the ERC20Vault have been fully stopped. Flaw in proof validation “What happened: an attacker exploited a flaw in our bridge message-proof verification,” Taiko wrote in its latest update. “Forged message proofs were accepted on L1 without a legitimate event on the source chain, which let them register fraudulent withdrawals and pull funds from the bridge and token vault.” Taiko’s confirmation of the exploit followed an earlier report from onchain security firm Blockaid, which pointed to a flaw in the Taiko bridge’s source-signal proof validation as the likely root cause. “Crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain,” Blockaid wrote. “This allowed the attacker to register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the ERC20 vault.” While Blockaid reported the losses to be around $1 million, follow-up reports from onchain analytics platform PeckShield said the stolen amount totals around $1.7 million, and the exploiter has moved 1.99 million Taiko tokens (worth about $169,702) to an address on the MEXC exchange. In its latest update, Taiko confirmed that the estimated losses were around $1.7 million before the pause. The team also said it is preparing a full post-mortem of the incident. Taiko is a based rollup — a type of rollup that relies on Ethereum block validators to sequence transactions. It launched on mainnet in May 2024 after being in development since 2022. Ref: https://paykalken.com #Taiko #ETH #Ethereum #Layer2 #Crypto #Hack #Security #DeFi #Web3 #BreakingNews