Taiko has urged users to withdraw funds from all bridges deployed on its network after confirming a compromise of its chain state verification mechanism.
Summary
- Taiko urged users to withdraw bridge funds after confirming a chain verification mechanism compromise.
- Blockaid said flawed source-signal proof checks enabled unauthorized releases from Taiko’s ERC20 Vault on Ethereum.
- Taiko also stopped proposers from producing blocks and asked exchanges to suspend TAIKO deposits immediately.
The Ethereum Layer 2 project said the security assumptions behind its bridge system could no longer be relied upon.
The notice followed alerts from blockchain security firm Blockaid, which said its exploit detection system found an ongoing attack on Taiko’s ERC20 Vault on Ethereum. Blockaid put losses at more than $1 million and shared the victim contract, attacker wallet and exploit transactions.
Blockaid points to Taiko proof validation flaw
Blockaid said the likely root cause was a flaw in Taiko bridge source-signal proof validation. The firm said crafted message proofs were accepted as valid on Ethereum L1 even though there were no matching legitimate “MessageSent” events on the Taiko source chain.
That allowed the attacker to register and later retrieve fraudulent bridge messages, leading to unauthorized asset releases from the ERC20 vault. Taiko later confirmed a broader verification problem and said it was working with the Security Council and ecosystem partners.
Moreover, Taiko also said all proposers had temporarily stopped producing new blocks while the team investigates and resolves the issue. The project asked centralized exchanges to suspend TAIKO deposits immediately and said deposits should resume only after an official notice.
The team published several attacker addresses as part of its update. It said it would take technical and legal steps where needed, but did not give a timeline for restoring bridge security or restarting block production.
Bridge risks remain in focus
Taiko is a Type 1 Ethereum-equivalent ZK-EVM rollup designed as a based rollup, where Ethereum L1 validators are expected to help order transactions. The network launched mainnet in May 2024 and supports Ethereum-compatible smart contracts and tools.
Meanwhile, crypto.news recently reported that cross-chain bridge exploits caused $28.6 million in May losses, or about 42% of that month’s total reported by CertiK.
The incident comes after other cross-chain security failures this year. As previously reported by crypto.news, Verus Protocol’s Ethereum bridge lost more than $11.5 million in a forged-transfer exploit, while Axelar disabled Secret Network bridge routes after a $4.7 million exploit.
Moreover, as crypto.news earlier reported, an old Aztec Connect contract lost about $2.1 million after a verification mismatch let unbacked balances move through Ethereum settlement records.