Critical Security Alert from Taiko
In a critical security alert, Taiko, an Ethereum Layer 2 project, has advised its users to withdraw their funds from all bridges operating on its network. This warning comes after the discovery of a breach in the verification systems designed to uphold the integrity of chain states. Blockchain security firm Blockaid highlighted the incident, which involved an active threat against Taiko’s ERC20 Vault on Ethereum, estimating the damage to exceed $1 million.
Details of the Breach
Taiko confirmed that the basic security principles governing its bridge infrastructure can no longer be trusted following this breach. This notice follows Blockaid’s identification of the exploit, which provided details regarding the compromised contract, the wallet of the attacker, and the transactions involved in the hack.
The security analysis indicated that the root issue stemmed from a vulnerability in the bridge’s validation of source signals. Specifically, it appears that deceptive message proofs were wrongly validated on Ethereum Layer 1, despite the absence of corresponding legitimate “MessageSent” events on Taiko’s own source chain. This flaw allowed the perpetrator to falsely register and subsequently withdraw assets from the ERC20 vault.
Response and Future Actions
In response to the security lapse, Taiko is currently collaborating with its Security Council and associated partners to rectify the situation. Furthermore, all proposers have halted the generation of new blocks as part of their investigation into this issue. Taiko has urged centralized exchanges to immediately pause any deposits of TAIKO, directing that such activities should only resume following official communication from the team.
As part of their update, Taiko has disclosed a series of attacker wallets and expressed intentions to pursue both technical and legal remedies, although they did not provide a specific timeframe for reinstating bridge security or resuming block production.
Context of Cross-Chain Vulnerabilities
Taiko operates as a Type 1 Ethereum-equivalent ZK-EVM rollup, intended to function as a base layer where validators on Ethereum Layer 1 assist with transaction ordering. The mainnet was launched in May 2024 and is designed to support Ethereum-compatible smart contracts and development tools.
This incident reflects a broader trend of security vulnerabilities within cross-chain systems, with crypto.news reporting that such bridges experienced losses totaling $28.6 million in May alone—amounting to over 42% of the total reported losses that month as analyzed by CertiK. Previous breaches have also plagued other cross-chain protocols this year, including a $11.5 million loss at Verus Protocol and a $4.7 million exploit that caused Axelar to cease bridge operations with Secret Network. Additionally, an older Aztec Connect contract faced a verification error that allowed around $2.1 million in unbacked balances to flow undetected through the Ethereum settlement records.
