Taiko Bridge Hack Drains $1.7M

Key Takeaways:

• Taiko confirmed a compromise in its chain state verification mechanism.
• The exploit is estimated to have cashed out a sum of approximately USD 1.7 million from the infrastructure of the protocol’s bridge.
• All users have been advised to remove assets from all the deployed bridges on Taiko.

User Score

8.7

    Follow us on Google NewsA critical vulnerability in Taiko’s chain state verification mechanism is what has prompted the security alert. This incident has sparked fears that L2 bridges are vulnerable to attacks in Ethereum.

The vulnerability enabled messages to be accepted on Ethereum as a fraudster, resulting in unauthorised withdrawals of assets from the ERC20 vault on Ethereum, according to security researchers.

Table of Contents

• Taiko Warns Users to Exit Bridge Positions
• Faulty Proof Validation Enabled Fake Messages
  • Fraudulent Messages Triggered Unauthorized Withdrawals
  • Attacker Moves Tokens While Holding Large ETH Position

Taiko Warns Users to Exit Bridge Positions

Taiko confirmed that the assumptions protecting bridge security can no longer be trusted following the incident. The team said it is working with its Security Council and ecosystem partners to contain the damage, pause affected systems, and coordinate technical and legal responses.

The users were strongly urged to withdraw all the amount from all the bridges that were operating on the network as a precautionary step.

The note is one of the most severe security notices sent by any major layer-2 project on Ethereum this year, as it applies to the same underlying trust model for bridge operations.

Read More: $2.1M Aztec Exploit Sparks Alarm as Funds Drain From Long-Abandoned Privacy Protocol

## Faulty Proof Validation Enabled Fake Messages

The root cause might be in the source-signal proofs validation process, according to blockchain security firm Blockaid. It also reportedly enabled a proof of message design to be submitted to the Ethereum chain without there being any legitimate MessageSent events on Taiko.

Fraudulent Messages Triggered Unauthorized Withdrawals

Forged proofs were able to pass verification, and they were then able to be redeemed for real-money. This ultimately resulted in unauthorized releases of the ERC20 vault, Blockaid said.

The firm declared that it was not about private key misappropriation or compromise of the validators. Instead, the exploit focuses on the challenge to verify messages between chains as bridges.

This is one of the biggest vulnerabilities of cross-chain infrastructure, with failures in message authentication potentially resulting in asset loss.

Read More: $290M KelpDAO Hack SHOCK: LayerZero Points to Fatal DVN Flaw, Lazarus Suspected

Attacker Moves Tokens While Holding Large ETH Position

The total losses were estimated around $1.7 million, says Blockchain analytics platform, Lookonchain.

Traders estimate that the opponent traded about $189,000 worth of the tokens into the MEXC exchange via 1.99 million tokens TKO. According to on-chain data, the presence of the exploiters is still a bit more than 870 ETH, worth approximately $1.5 million.

The assets have still not been retrieved and can easily be tracked on-chain by security researchers.

The occurrence comes on the heels of a barrage of bridge and DeFi hacks over the last few weeks. Even complex verifier chains could become the target of bots or hackers, as they maintain large amounts of locked tokens in the process.