Ethereum Layer 2 protocol Taiko confirmed a serious security breach on Monday after an attacker exploited a flaw in its bridge verification system, draining an estimated $1.5 million to $1.7 million from its ERC20 Vault. The incident has halted block production on the network and prompted urgent warnings for users to secure their funds.
What Happened
Taiko confirmed a compromise of its chain state verification mechanism, warning that the security assumptions of all bridges deployed on the protocol can no longer be relied upon. The team said it was coordinating with its Security Council and ecosystem partners to contain the damage and urged all users to withdraw funds from Taiko bridges immediately.
The breach was first flagged by blockchain security firm Blockaid, whose exploit detection system identified an ongoing attack on Taiko’s ERC20 Vault on Ethereum, estimating initial losses at more than $1 million.
The root cause, according to Blockaid, was a critical flaw in how Taiko’s bridge validated cross-chain messages. Crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain. This allowed the attacker to register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the ERC20 vault. In simple terms, the attacker tricked the bridge into believing legitimate cross-chain transactions had occurred on Taiko when they had not, allowing them to withdraw real assets on the Ethereum side without any valid backing.
Taiko’s Official Statement (Source: Taiko)
How Much Was Stolen
Loss estimates have varied across security firms. Blockchain security firm PeckShield estimated total losses at approximately $1.7 million, higher than Blockaid’s initial figure of over $1 million.
On-chain data tracked by Lookonchain added further detail: the attacker moved 1.99 million TAIKO tokens worth roughly $189,000 to the MEXC exchange, while approximately 870.8 ETH valued at close to $1.52 million remained sitting in exploiter wallets at the time of reporting. Four attacker wallet addresses were published by the Taiko team:
- 0x7506DeA0c38ca0B55364B22424374c5A1ae1B76a
- 0x5fbc60a12bc6635e7d587d8dac52e4b1388b4990
- 0x3cc936b795a188f0e246cbb2d74c5bd190aecf18
- 0x9108828e30f2de407aadb0af677b4a9228e4acd4
Taiko’s ERC20 Vault Hacked (Source: Arkham)
Taiko’s Response
The response from the Taiko team came in multiple stages. First came the emergency security notice and the call for users to withdraw bridge funds. Then, in a follow-up post, Taiko confirmed that all block proposers had temporarily stopped producing new blocks while the team investigates and works to resolve the issue, effectively bringing the network to a standstill as a containment measure.
Taiko also called on centralized exchanges to suspend TAIKO deposits immediately, stating that deposits should only resume following an official all-clear notice from the project. The team said it would pursue technical and legal remedies where necessary but has not provided a timeline for restoring bridge functionality or resuming block production.
In a later update, Taiko said the incident had been contained and that the Bridge and ERC20Vault had been paused. The team clarified that pending transactions are not lost, merely paused, and that users no longer need to take any action to protect their funds while the bridge remains offline.
What Is Taiko
Taiko is a based rollup — a type of rollup that relies on Ethereum block validators to sequence transactions. It launched on mainnet in May 2024 after being in development since 2022. As a Type 1 ZK-EVM, it is designed to be fully equivalent to Ethereum, meaning it supports the same smart contracts and developer tools without modification. The native TAIKO token is currently trading at around $0.084, down approximately 98% from its 2024 peak.
Part of a Broader Pattern
The Taiko hack is one of at least 23 crypto exploits recorded in June 2026, according to DeFiLlama. The month has been particularly severe for decentralized finance security, with Humanity Protocol suffering the largest single incident at over $30 million, followed by Syscoin Bridge at more than $8 million, Secret Network at $4.67 million through an infinite mint bug, and a $1.1 million drain from a PancakeSwap liquidity pool.
Bridge vulnerabilities have been among the most targeted attack surfaces in DeFi in 2026, with notable breaches hitting Gravity Bridge ($5.4 million), Axelar-Secret Network ($4.67 million), Alephium TokenBridge ($815,000), and Hyperbridge ($2.5 million), among others.
Cross-chain bridges remain structurally difficult to secure because they require one chain to trust statements made about activity on another. When the verification logic that enforces that trust can be manipulated, as was the case here, attackers can manufacture withdrawals without any corresponding deposits.
What Comes Next
The Taiko team has not given a specific timeline for when bridge services will resume. The four published attacker addresses give investigators and exchanges a trail to follow, and the speed at which exchanges freeze the flagged wallets may determine whether any of the stolen funds can be recovered. Taiko has said further updates will be issued as the situation develops.
Credit: Source link