- The Taiko network suspended all withdrawals and new blocks after the attacks took place due to an error made during proof verification.
- Proof messages that were forged bypassed the security systems allowing funds to be withdrawn from the vaults.
- The estimated loss amounts to $1.7 million.
Taiko exploit concerns intensified after the Ethereum-based rollup confirmed that attackers had compromised its chain state verification mechanism, prompting an emergency response that included halting bridge withdrawals, suspending block production, and warning users that all bridges deployed on the protocol should no longer be considered secure.
The incident marks another addition to a growing list of crypto protocol breaches reported in June and has led to renewed scrutiny of bridge security after attackers successfully withdrew funds through fraudulent messages accepted by the network’s verification system.
Taiko stated that it is coordinating with its Security Council and ecosystem partners as it conducts an investigation into the breach and prepares a full post-mortem report.
Taiko Issues Emergency Warning Following Security Breach
The protocol disclosed the incident in a statement on X, advising users to immediately withdraw funds from all bridges deployed on the network. The team also requested that centralized exchanges suspend deposits of the native TAIKO token until further notice.
Source: Taiko.eth
As part of its response, Taiko confirmed that all proposers had stopped producing new blocks while the investigation remained ongoing. The protocol said it was working with ecosystem participants to contain the incident and limit any additional impact.
A later update stated that the exploit had been contained and that withdrawals through the L1 Bridge and ERC20Vault had been fully halted.
Taiko Exploit Linked to Bridge Verification Flaw
According to information released by Taiko and blockchain security firm Blockade, the breach originated from a flaw in the protocol’s bridge message-proof verification process.
The vulnerability allowed forged message proofs to be accepted as valid on Ethereum without corresponding legitimate events occurring on the Taiko network. As a result, attackers were able to register fraudulent bridge messages and subsequently withdraw assets from the protocol’s ERC20 vault.
Blockaid reported that crafted message proofs were recognized on Ethereum Layer 1 despite lacking legitimate source-chain validation. The security firm said this enabled unauthorized asset releases from the bridge infrastructure.
Fraudulent withdrawals took place following the creation of forgeries of proof-of-messages, thereby evading the verification processes and resulting in the withdrawal of funds from the impacted systems prior to any emergency actions being taken.
Total Estimated Losses Equal Roughly $1.7 Million
Blockaid initially estimated the value of the stolen assets at around $1 million. Nonetheless, further investigation revealed a greater number.
PeckShield and other on-chain investigators estimated that losses reached approximately $1.7 million. Taiko later confirmed that the exploit resulted in estimated losses of around $1.7 million before affected services were paused.
Data from blockchain intelligence platform Arkham indicated that wallets linked to the exploiter were still holding approximately $1.5 million in assets, primarily in Ether.
PeckShield also reported that the attacker transferred 1.99 million TAIKO tokens to the MEXC exchange following the exploit. The transferred tokens were worth approximately $169,702 at the time the report was filed.
The market figures cited by investigators indicated that TAIKO was trading at about 98% below its 2024 price.
June Sees Multiple Protocol Attacks
The Taiko hack took place during the same month that witnessed multiple attacks on other protocols in the digital asset space.
According to data referenced from DeFiLlama, at least 23 protocol exploits have been recorded so far in June.
Among the largest incidents were attacks involving Humanity Protocol and the Syscoin Bridge, which reportedly resulted in losses exceeding $30 million and $8 million, respectively.
The latest breach also followed another security incident reported days earlier on Secret Network. That exploit resulted in the theft of approximately $4.67 million worth of assets.
Separately, around $1.1 million was drained from the OLPC/LABUBU liquidity pool on PancakeSwap. The LABUBU token is a memecoin inspired by the toy brand of the same name.
Source: ExVul
Additional incidents reported during the month included exploits involving Aztec Connect, RetoSwap, and Raydium AMM.
Network Response and Investigation Continue
Taiko said it is continuing to coordinate with ecosystem partners, security teams, and its Security Council as efforts to investigate the incident proceed.
The protocol stated that technical and legal actions are being considered as part of the response. It also reiterated that affected systems had been paused where possible to prevent additional unauthorized activity.
A full incident review is expected to be released following completion of the investigation. The report will contain additional information about the nature of the vulnerability, the implementation of the attack, and how it was mitigated after discovery of the problem.
