Taiko urges bridge withdrawals after $1.7M breach
Taiko warned its chain-state verification was compromised and urged users to withdraw funds from all bridges after a breach BlockSec Phalcon linked to an exposed Raiko SGX signing key and $1.7M loss.
The Taiko team posted a security notice on Sunday warning that its chain-state verification mechanism had been compromised and advising all users to withdraw funds from bridges connected to the network immediately. The notice said the security assumptions behind those bridges could no longer be trusted.
Blockchain security firm BlockSec Phalcon published a preliminary analysis estimating losses above $1.7 million and identifying a likely cause: an exposed Raiko Intel SGX enclave signing key that had been publicly accessible on GitHub. The firm noted the exposed key may have allowed an attacker to register attacker-controlled SGX instances using SgxVerifier.registerInstance.
BlockSec Phalcon described how the attacker could use compromised verifier instances to generate fraudulent proofs that Taiko’s verification contracts would accept. Those forged proofs, the firm said, could be used to submit a fake bridge message that triggered the release of assets from the protocol’s ERC20Vault. Thefirm’s loss estimate is based on on-chain analysis of transactions tied to the incident.
Taiko did not provide a loss estimate in its notice. The development team said it is coordinating with its Security Council and ecosystem partners to contain the incident, pause affected systems where possible, and pursue technical and legal responses. Users were asked to move funds off bridges while investigations continue.
Taiko is an Ethereum-compatible layer-2 network that uses zero-knowledge rollups to batch transactions and post compressed data to Ethereum. Its mainnet launched in May 2024 and the project was co-founded by former Loopring CEO Daniel Wang. Bridges on Taiko move assets between Ethereum and the layer-2 environment; the breach affects any bridge that relies on the compromised verification flow.
The incident follows a series of large losses across decentralized finance earlier this year, including a $292 million cross-chain bridge theft in April, an unauthorized minting incident tied to $77 million in May with later reported realized losses around $816,000, and a $1.34 million loss at a Solana-based exchange after an exploit of deprecated liquidity pools. Industry tallies showed DeFi protocols lost more than $840 million in the first five months of the year.
Taiko’s developers did not provide a timeline for restoring bridge operations. The team said further updates will follow as forensic work and mitigation steps progress.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
