Ethereum Layer-2 Taiko Warns Users to Withdraw Bridge Funds After Security Breach

In brief Taiko said its chain state verification mechanism was compromised and urged users to withdraw funds from all bridges on the network. BlockSec Phalcon estimated losses exceeding $1.7 million and linked the attack to an exposed Raiko SGX enclave signing key. The breach raises questions about the security of the protocol's proof verification infrastructure. The developers behind the Taiko network have urged users to withdraw funds from all bridges deployed on its Ethereum layer-2 blockchain after confirming a compromise of its chain state verification mechanism.In a security notice posted Sunday, the project said the security assumptions underlying all bridges on Taiko could no longer be relied upon. The team said it was coordinating with its Security Council and ecosystem partners to contain the incident, pause affected systems where possible, and pursue technical and legal responses."We strongly advise all users to withdraw their funds from all bridges deployed on Taiko immediately," the team wrote on X.Taiko is an Ethereum layer-2 network that uses zero-knowledge rollups to process transactions more efficiently while remaining compatible with Ethereum. Co-founded by former Loopring CEO Daniel Wang, the network launched its mainnet in May 2024 as dedicated data storage for Ethereum scalers.Taiko did not disclose the cause of the breach or provide an estimate of losses; however, according to Blockchain security firm BlockSec Phalcon, the attack resulted in losses exceeding $1.7 million. In a preliminary analysis, the firm said the likely cause was an exposed Raiko SGX enclave signing key that had been publicly accessible on GitHub.“Because the enclave signing key was publicly accessible, the SGX prover trust model may have been broken,” BlockSec Phalcon wrote on X. “The exposed key may have allowed the attacker to register attacker-controlled SGX instances via SgxVerifier.registerInstance.”According to BlockSec, attackers may have used compromised verifier instances to generate fraudulent proofs that were accepted by Taiko's verification contracts. The attacker then used a forged signal to register a fake bridge message and trigger the release of Ethereum-based assets from the protocol's ERC20Vault.The Taiko breach follows a string of major crypto exploits. In April, attackers stole $292 million from KelpDAO's cross-chain bridge in an attack later linked to North Korea's Lazarus Group. In May, Echo Protocol disclosed a breach involving the unauthorized minting of $77 million worth of eBTC on Monad, though the project estimated realized losses at about $816,000. Earlier this month, Solana-based exchange Raydium lost $1.34 million after attackers exploited deprecated liquidity pools.In total, DeFi protocols lost more than $840 million in the first five months of the year.Daily Debrief NewsletterStart every day with the top news stories right now, plus original features, a podcast, videos and more.