The story with Echo Protocol at first looked like another major DeFi hack for $76.7 million. But the real picture turned out to be different. The attacker did not break the smart contract or find a complex vulnerability in the code. He gained access to the admin key, minted 1,000 fake eBTC, and was able to withdraw about $816,000 in real assets from the system.
The difference between the ‘paper’ $76.7 million and the actual $816,000 became the main takeaway from this attack. The problem was not with the Monad blockchain or the core Echo code, but with access management, weak internal procedures, and the lending protocol Curvance’s trust in collateral that had just been issued.
The Attack Began With a Stolen Admin Access
Echo Protocol operates in the BTCFi segment and issues wrapped versions of bitcoin for DeFi. On Aptos, the project uses aBTC, and on the Monad network, it issued eBTC. These assets were not directly linked, so the incident affected only eBTC on Monad.
The attacker gained access to eBTC token admin rights. After that, he assigned himself the minter role and minted 1,000 eBTC to his own wallet. At market value, this looked like $76.7 million, but there was no real bitcoin backing these tokens. They were empty tokens without collateral.
Why $76.7 Million Did Not Turn Into Real Losses
The fake eBTCs themselves were worthless as long as they could not be exchanged for real assets. The problem for the attacker was Monad’s low liquidity. Selling 1,000 eBTC on a DEX was impossible: the market simply could not handle that volume, and the price would have collapsed almost immediately.
So the attacker chose a different path. He deposited 45 eBTC into Curvance as collateral and borrowed 11.29 WBTC against them, about $868,000 in real value. The assets were then transferred to Ethereum, swapped for roughly 384 ETH, and sent through Tornado Cash. The final amount of real withdrawal was about $816,000.
Curvance Accepted the Fake Collateral as Real
The second weak point of the attack appeared on the Curvance side. The protocol accepted eBTC as ordinary collateral without checking whether these tokens were actually backed by bitcoin. For the contract, they were simply eBTC in the user’s wallet.
This is what allowed the attacker to turn fake tokens into real WBTC. Curvance was not directly hacked, but its collateral evaluation system was too trusting of an asset that had just been issued through compromised admin access.
Echo Managed to Burn Most of the Fake Tokens
After discovering the attack, Echo regained control over admin access and burned the remaining 955 eBTC in the attacker’s wallet. The team also suspended related functions on Monad and temporarily restricted bridges and lending tools on Aptos, although the Aptos part itself was not affected.
Curvance suspended the eBTC market and reported that its isolated pool structure prevented the problem from spreading to other assets. Monad was also not compromised. The network operated normally, and the incident remained at the application level above it.
Echo’s Main Mistake Was One Key Instead of Proper Protection
The most important part of the incident was the admin access setup. The key role was assigned to a single ordinary wallet, not a multisig. This means that one stolen private key was enough to gain control over eBTC issuance.
In addition, the system had no timelock, no token issuance limit, and no minting speed restriction. The attacker was able to grant himself rights and mint 1,000 eBTC at once, with no delay and no window for the team to react. For a DeFi project with large asset value, these are basic security measures, not complex architecture.
DeFi Is Increasingly Hacked Not Through Code
Echo became another example of a broader trend in 2026. The largest losses in DeFi are increasingly happening not due to Solidity errors, but due to key compromise, infrastructure, admin accesses, bridges, and internal processes.
In April, Drift lost $285 million after social engineering, and KelpDAO lost $292 million due to an infrastructure attack. Verus Bridge faced a cross-chain verification problem, THORChain reported a hack of more than $10 million. Echo followed the same logic: the code could work as intended, but the surrounding security system failed.
Attackers Have Risen Above the Smart Contract Level
In recent years, DeFi has learned to check code better. Audits, bounty programs, and formal verification have become the norm for major projects. But attackers have simply shifted their focus.
Now they more often target what does not always undergo a full audit: private keys, admin roles, servers, RPC infrastructure, employees, developer tools, and management procedures. This is worse for the market because such attacks are harder to spot in advance and harder to stop in the moment.
Echo Got Lucky Due to Monad’s Low Liquidity
In fact, Echo was saved not by good protection, but by limited liquidity. If the same volume of fake tokens had ended up in a deeper network with a developed market, the damage could have been much closer to the reported $76.7 million.
On Ethereum or another major ecosystem, the attacker could have found more ways to turn fake collateral into real assets. In Monad’s case, he was only able to withdraw what Curvance’s liquidity allowed.
What Next?
The Echo incident shows that the main threat to DeFi in 2026 is no longer just in smart contracts. Protocols can have working code but remain vulnerable due to a single weak admin key, lack of timelocks, and poor collateral verification.
For wrapped assets, the main question is simple: who can issue tokens and how hard is it to seize that access. If issuance is controlled by a single wallet, the entire protocol effectively depends on one private key.
Echo got off with relatively small real losses. But the lesson for the market is tough: multisig, timelocks, issuance limits, and collateral checks must be mandatory, not optional extras after another hack.
Read more: PCE, the Labor Market, and Housing. The Week Will Decide the Fate of Fed Rates and Bitcoin
