Taiko, an Ethereum layer-2 network, halted block production and urged users to withdraw funds after an attacker exploited its bridge to steal about $1.7 million. The TAIKO token has slumped more than 20% since midnight UTC. The exploit used forged cross-chain proofs, the same type of flaw behind this year's biggest bridge hacks.
The Exploit and Immediate Response
The attacker forged the proofs a bridge uses to confirm that a withdrawal matches a real deposit. Fake withdrawal requests were accepted on Ethereum without any matching transaction on Taiko's chain, allowing the attacker to drain funds from the bridge and its token vault. Taiko stopped block production and asked centralized exchanges to suspend deposits of its TAIKO token. By about 2 a.m. ET, the team said the exploit had been contained and withdrawals through the main bridge and token vault halted.
Root Cause: Exposed Signing Key
Security firm BlockSec traced the likely cause to a signing key for Raiko, Taiko's multi-prover stack, that was left publicly accessible on GitHub. The key is meant to stay sealed inside secure hardware so proofs can be trusted. If exposed, attackers can enroll their own provers as legitimate and sign fraudulent proofs that Taiko's verifier accepted, then fake a bridge withdrawal that releases real assets on Ethereum. The exploiter moved about 2 million TAIKO, worth roughly $170,000, to an account on the MEXC exchange.
Broader Context: Bridge Vulnerabilities
While the dollar loss is relatively small, the exploit used the same cross-chain messaging flaw behind more than $340 million in bridge hacks this year. Forged cross-chain messages drained $292 million from Kelp DAO's bridge in April and $11.4 million from the Verus-Ethereum bridge in May. Bridges have produced more than $340 million in losses across at least 14 exploits in 2026, making them the costliest target in crypto. Taiko's damage stayed contained mainly because the team caught and froze it within hours. Taiko, which launched on Ethereum in May 2024, said it is preparing a full incident report.