Ethereum-based Layer 2 network Taiko stopped block production following the attack on its bridge and asked users to withdraw their assets from bridges on the network. The team announced that there was a loss of approximately $1.7 million before the attack was stopped.
What was the method of the attack?
According to Taiko, the attacker faked cross-chain proofs that the bridge used to verify that a withdrawal matched a real investment. Thus, withdrawal requests that were not responded to by Taiko were accepted as valid on Ethereum and the assets in the bridge and token vault were emptied.
The Taiko team noted that fraudulent withdrawal requests were accepted on Ethereum, whereas there was no matching deposit on the Taiko chain, allowing the attacker to record fraudulent withdrawals.
Bridges are known as infrastructures that enable asset transfer between different blockchains. In Taiko’s case, this structure enables the movement of funds between the network and Ethereum.
Mini dictionary: Raiko stands out as the proof generation system that Taiko uses to show the Ethereum side that transactions are valid. The signing key used in this system must be stored in secure hardware.
Preliminary findings point to the possibility of a leak
Initial assessments of how the attacker produced seemingly valid evidence raised the possibility of a key leak. Security company BlockSec reported in its preliminary investigation that the possible cause may be that the signing key used for Raiko was left publicly available on GitHub.
According to BlockSec, this key should normally be kept closed in secure hardware. If the key is compromised, the attacker can register their own proof generators as legitimate, then sign fake proofs that the validator accepts, allowing real assets to be released on the Ethereum side.
Fund movements were stopped
Taiko warned users to withdraw from all bridges on the network. It also asked central exchanges to suspend TAIKO deposits and stopped block producers from creating new blocks during the review process. The team announced that the attack was under control as of approximately 02:00 Eastern US time and exits via the main bridge and token vault were completely stopped.
It was also reported that the attacker moved 2 million TAIKO, worth approximately 170 thousand dollars, to an account on the MEXC exchange. As a Layer 2 network launched on Ethereum in May 2024, Taiko aims to reduce transaction costs and process transactions off the main chain and move them back to Ethereum.
Similar deficits came to the fore this year too
Although the material loss remained limited, it was stated that the method used was in line with a broader class of vulnerabilities seen in bridge attacks this year. According to the data in the news, fake cross-chain messages led to the withdrawal of $ 292 million from the Kelp DAO bridge in April and $ 11.4 million from the Verus-Ethereum bridge in May.
It has been recorded that a total loss of over 340 million dollars has occurred in bridge infrastructures in at least 14 separate attacks throughout 2026. Taiko, on the other hand, stated that the incident was noticed within hours and the transactions were frozen, preventing the damage from growing further. The company announced that a detailed report about the incident will be shared on Monday during Asian hours.
