Cover photo

Taiko Bridges Compromised In Verification Exploit

Taiko warns the security assumptions of all bridges on the network can no longer be relied upon after an exploit drained its Ethereum ERC20 vault.

Taiko confirmed a compromise of its chain state verification mechanism on June 21, warning that the security assumptions of all bridges deployed on Taiko can no longer be relied upon and urging users to withdraw funds from every Taiko bridge immediately. The team said it is coordinating with its Security Council and ecosystem partners to contain the incident, pause affected systems where possible, and pursue all necessary technical and legal action.

Blockaid's exploit detection system identified the ongoing exploit on Taiko's ERC20 Vault on Ethereum, with losses estimated at more than $1 million. The root cause appears to be a flaw in Taiko's bridge source-signal proof validation, where crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain. The attacker used the flaw to register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the vault.

In a later update, Taiko said the incident is contained. The bridge and vault are paused, so no further funds can be withdrawn, and the bridge is offline in both directions, meaning users should not attempt to bridge. Pending transactions are paused rather than lost.

The compromise extends a run of June security incidents across Ethereum, following a coordinated honeypot that drained the Jared from Subway MEV bot and a second exploit on a deprecated Aztec rollup.

This is a developing story.

Advertise

post image

The trusted Ethereum news briefing since 2022, reaching 6,000+ audio subscribers, 4,000+ newsletter subscribers, and 26k+ combined social followers.

Want to reach the ETH Daily audience? Learn more at ethdaily.io/ads.

Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created