The vulnerability allowed fraudulent bridge messages to be accepted as valid, which resulted in unauthorized withdrawals from Taiko’s ERC-20 vaults. The protocol warned users that all bridges on the network should be considered unsafe, advised immediate fund withdrawals, and requested exchanges suspend Taiko token deposits.
Taiko Investigates Major Security Breach
Taiko, an Ethereum-based Layer 2 rollup, confirmed a serious security breach involving its chain state verification mechanism. The protocol warned users that all bridges deployed on the network should currently be considered unsafe. The team also urged users to immediately withdraw funds from any Taiko-connected bridges while investigations continue.
The incident appears to stem from a flaw in the protocol’s proof validation process. According to blockchain security firm Blockaid, attackers exploited a weakness in Taiko’s bridge source-signal proof validation system. The vulnerability allowed specially crafted message proofs to be accepted as legitimate on Ethereum without corresponding valid events occurring on the Taiko network itself.
As a result, the attacker was able to create fraudulent bridge messages that looked authentic to the bridge contracts. These fake messages were then used to unlock and withdraw assets from Taiko’s ERC-20 token vaults without proper authorization. In essence, the exploit tricked the bridge into releasing funds that should never have been accessible.
After the discovery of the attack, Taiko announced that it is working closely with its Security Council and ecosystem partners to contain the damage, pause affected systems where possible, and implement technical and legal responses. The protocol also requested that centralized cryptocurrency exchanges suspend deposits of Taiko’s native token until the situation is fully assessed and resolved.
Taiko revealed that all of its proposers stopped producing new blocks while the team investigates the compromise. This is done to prevent more risks and preserve the integrity of the network during the incident response process.
The estimated losses from the exploit is still unclear, with different security firms reporting varying figures. Blockaid initially estimated the stolen funds at approximately $1 million. However, blockchain analytics firm PeckShield later reported that the total losses may be closer to $1.7 million.
PeckShield also identified suspicious fund movements linked to the attacker, including the transfer of approximately 1.99 million Taiko tokens, valued at around $170,000, to an address associated with the MEXC cryptocurrency exchange.
The exploit is a huge setback for Taiko, which launched its mainnet in May of 2024 after nearly two years of development. As a based rollup, Taiko relies on Ethereum validators for transaction sequencing, which is a design intended to inherit much of Ethereum’s security.
For now, the investigation is still ongoing, and users are being advised to exercise caution until Taiko provides updates about the security of its network and bridging infrastructure.
