Verify a decision

{"actor":"system:backfill","investigation_id":"e7571a21-62a4-49e5-af98-83b7f5b14098","kind":"publish","page_slug":"taiko-ethereum-l2-bridge","published_at":"2026-06-25T23:08:12.102Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Taiko Ethereum L2 Bridge","sections":[{"content":"On June 22, 2026, Taiko — an Ethereum-equivalent (Type-1) layer-2 rollup operated by Taiko Labs — suffered a bridge exploit resulting in an estimated $1.7 million in losses from its L1 Bridge contract (0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC) and ERC20Vault contract (0x996282cA11E5DEb6B5D122CC3B9A1FcAAD4415Ab) on Ethereum mainnet. Blockaid's automated monitoring system detected the attack in real time; Taiko's team contained the incident between approximately 2:00 a.m. and 2:08 a.m. ET. Taiko halted block production network-wide and issued an urgent advisory for all users to exit every bridge deployed on the chain. Centralized exchanges were asked to suspend TAIKO deposits pending investigation. The TAIKO token fell approximately 10–20% on the news, briefly touching an all-time low near $0.073. The $1.7 million loss represented approximately 11.7% of TAIKO's roughly $14.5 million market capitalization at the time of the incident. An official postmortem had been pledged by Taiko Labs but had not been published as of the date of this report.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":2,"name":"Taiko Halts Blocks After $1.7M Exploit, Urges Users to Exit Bridges — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/06/22/taiko-halts-blocks-after-1-7m-exploit-urges-users-to-exit-bridges/"},{"credibility":2,"name":"Ethereum Layer 2 Taiko Halts Network After $1.7M Exploit, Token Falls 11% — CoinCodex","type":"news_article","url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"}]},{"content":"Security firms BlockSec (via its Phalcon monitoring arm) and Quill Audits independently identified the root cause as an Intel SGX RSA-3072 private signing key stored in a file named enclave-key.pem that had been committed in plaintext to the public taikoxyz/raiko GitHub repository. Raiko is Taiko's multi-prover stack, which uses Intel SGX Trusted Execution Environments to generate cryptographic attestations that Taiko's L1 bridge contracts accept as proof of valid L2 state transitions. Under the intended design, the SGX enclave signing key is meant to remain sealed inside tamper-resistant secure hardware, restricting proof generation to authorized participants only. Committing the key to a public repository made it accessible to any observer with a GitHub account, entirely negating the trust model of the TEE-based proving system. The Ledger CTO and other security researchers who commented publicly on the incident characterized the failure as an operational key management error rather than a flaw in the SGX or Raiko protocol designs themselves.","heading":"Root Cause: SGX Signing Key Committed to Public GitHub Repository","severity":"critical","sources":[{"credibility":2,"name":"$1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"credibility":2,"name":"Taiko Bridge Drained $1.7M After SGX Signing Key Left Exposed on GitHub — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/taiko-bridge-exploit-sgx-signing-key-github-1-7m"},{"credibility":2,"name":"Ledger CTO: Private Key Leak Caused the Taiko Hack — Incrypted","type":"news_article","url":"https://incrypted.com/en/ledger-cto-private-key-leak-caused-taiko-hack/"},{"credibility":1,"name":"GitHub — taikoxyz/raiko (public repository containing the Raiko multi-prover stack)","type":"official","url":"https://github.com/taikoxyz/raiko"}]},{"content":"Armed with the leaked enclave-key.pem, the attacker executed a two-stage attack. In the first stage, the attacker enrolled a rogue SGX prover on Taiko's on-chain verifier. Because the bridge contracts' MrSigner verification is derived from the public counterpart of the exposed key, the forged prover was indistinguishable from an authorized one. The rogue prover then signed fraudulent L2 state attestations. In the second stage, the attacker called processMessage() on the L1 Bridge contract, setting withdrawal message statuses to RETRIABLE for messages that had no corresponding MessageSent events on Taiko's source chain — meaning no actual deposits had been made on L2. Subsequent retryMessage() calls executed with minimal additional validation and released funds from the L1 Bridge (0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC) and the ERC20Vault (0x996282cA11E5DEb6B5D122CC3B9A1FcAAD4415Ab). Prior to the freeze, the attacker moved approximately 2 million TAIKO tokens (approximately $170,000) to an account on the MEXC exchange. Total losses from both contracts are estimated at approximately $1.7 million.","heading":"Attack Mechanics and On-Chain Activity","severity":"critical","sources":[{"credibility":2,"name":"Taiko Bridge Exploit: How a Leaked Key Drained $1.7M from an Ethereum L2 — Thirdweb Blog","type":"research","url":"https://blog.thirdweb.com/taiko-bridge-exploit-explained-how-a-leaked-key-led-to-1-7m-in-forged-withdrawals/"},{"credibility":2,"name":"Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained — SpotedCrypto","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"credibility":2,"name":"$1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"}]},{"content":"Blockaid's automated exploit detection system identified the attack in real time, with the activity detected and frozen between approximately 2:00 a.m. and 2:08 a.m. ET on June 22, 2026 — an interval of approximately eight minutes. Taiko's response included: halting all block production network-wide; freezing the L1 Bridge and ERC-20 Vault withdrawal functions; issuing a public advisory urging all users to exit every bridge on the network; requesting that exchanges suspend TAIKO token deposits; activating the Security Council multisig governance body; publishing the alleged attacker's known wallet addresses; and committing to publish a full incident post-mortem. Taiko Labs stated it was coordinating with exchanges and security partners to track and attempt to freeze attacker assets. BlockSec's Phalcon monitoring arm also flagged the exploit and contributed to post-incident analysis.","heading":"Detection and Immediate Response","severity":"high","sources":[{"credibility":1,"name":"Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":2,"name":"Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained — SpotedCrypto","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"credibility":2,"name":"Taiko Loses $1.7M In Bridge Exploit, Suspends Block Production And Freezes Withdrawals — Metaverse Post","type":"news_article","url":"https://mpost.io/taiko-loses-1-7m-in-bridge-exploit-suspends-block-production-and-freezes-withdrawals/"}]},{"content":"On June 22, 2026 at 17:09 UTC, Taiko developers opened recovery pull request 21820 against the v3.0.0 protocol branch of the taikoxyz/taiko-mono repository. The PR spans 15 changed files with 485 additions and 269 deletions and bundles four structural fixes: (1) checkpoint versioning, which invalidates all stored checkpoints and forces re-derivation from a clean state to prevent state replay; (2) Inbox state reset, which restores core chain state to a point prior to the attack; (3) bridge-message invalidation, which voids the fraudulent withdrawal messages created during the exploit; and (4) QuotaManager restoration, which reinstates per-window transfer limits — reported as approximately $200,000 per 15-minute window — as a rate-limiting safeguard against future large-scale withdrawals. As of the date of this investigation, the PR remained open and unmerged. Bridge reopening is contingent on the PR being merged, a post-merge security review, and Security Council multisig approval.","heading":"Recovery Plan: Pull Request 21820","severity":"high","sources":[{"credibility":2,"name":"Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained — SpotedCrypto","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"credibility":2,"name":"Taiko Rollup Confirms Bridge Exploit After Chain State Verification Compromise — CryptoWisser","type":"news_article","url":"https://www.cryptowisser.com/news/taiko-rollup-confirms-bridge-exploit-after-chain-state-verification-compromise"}]},{"content":"The TAIKO token declined approximately 10–20% intraday following public disclosure of the exploit on June 22, 2026. Multiple outlets reported a low near $0.073, characterized as an all-time low for the asset. At an estimated market capitalization of approximately $14.5 million at the time of the attack, the $1.7 million drained represented approximately 11.7% of the total market cap — an outsized impact relative to larger protocols with deeper liquidity. Approximately 2 million TAIKO tokens (approximately $170,000) were moved by the alleged attacker to a MEXC exchange account before the freeze; recovery of those funds had not been publicly confirmed as of this report. CoinMarketCap and CoinCodex reported the intraday token decline at approximately 11%; other sources reported up to 20%, likely reflecting different measurement windows.","heading":"Market and Token Impact","severity":"high","sources":[{"credibility":1,"name":"Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":2,"name":"Taiko Urges Bridge Exit After Hackers Drain $1.7M — CoinMarketCap","type":"news_article","url":"https://coinmarketcap.com/academy/article/taiko-urges-bridge-exit-after-hackers-drain-dollar17m"},{"credibility":2,"name":"Ethereum Layer 2 Taiko Halts Network After $1.7M Exploit, Token Falls 11% — CoinCodex","type":"news_article","url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"}]},{"content":"The Taiko incident is part of an accelerating pattern of cross-chain bridge exploits in 2026. Analysts have reported more than $340 million in bridge losses across at least 14 exploits in 2026 as of the date of this incident, making bridges the single costliest attack surface in crypto. The underlying vulnerability class — forged cross-chain proof submission enabled by compromised or misconfigured key material — is consistent with earlier major bridge exploits. The Taiko case is notable for using a leaked Trusted Execution Environment signing key as the attack vector, which demonstrates that TEE-based proving systems provide no protection against operational credential-management failures. Security commentary has noted that damage was contained primarily because of rapid third-party detection and manual intervention rather than any on-chain circuit breaker active at the time of the attack.","heading":"Broader Context: Bridge Exploit Pattern in 2026","severity":"medium","sources":[{"credibility":2,"name":"Taiko Bridge Exploit: Why L2 Withdrawal UX Is Becoming a DeFi Safety Test — CryptoDaily","type":"news_article","url":"https://cryptodaily.co.uk/2026/06/taiko-bridge-exploit-l2-withdrawal-ux-defi-safety-test"},{"credibility":2,"name":"Ethereum L2 Bridge Exploit Drains $1.7M: Leaked SGX Key Defeats Taiko Trust Model — TechTimes","type":"news_article","url":"https://www.techtimes.com/articles/318886/20260623/ethereum-l2-bridge-exploit-drains-17m-leaked-sgx-key-defeats-taiko-trust-model.htm"},{"credibility":2,"name":"Taiko Bridge Exploit: How a Leaked Key Drained $1.7M from an Ethereum L2 — Thirdweb Blog","type":"research","url":"https://blog.thirdweb.com/taiko-bridge-exploit-explained-how-a-leaked-key-led-to-1-7m-in-forged-withdrawals/"}]}],"sources_used":[{"credibility":1,"name":"Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":2,"name":"Taiko Bridge Drained $1.7M After SGX Signing Key Left Exposed on GitHub — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/taiko-bridge-exploit-sgx-signing-key-github-1-7m"},{"credibility":2,"name":"Taiko Bridge Exploit: How a Leaked Key Drained $1.7M from an Ethereum L2 — Thirdweb Blog","type":"research","url":"https://blog.thirdweb.com/taiko-bridge-exploit-explained-how-a-leaked-key-led-to-1-7m-in-forged-withdrawals/"},{"credibility":2,"name":"Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained — SpotedCrypto","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"credibility":2,"name":"Taiko Hack Forces Bridge Withdrawal Warning Amid $1.7M Incident — Bitcoin Foundation News","type":"news_article","url":"https://bitcoinfoundation.org/news/blockchain-news/ethereum-l2-taiko-hack-forces-bridge-warning-amid-1-7m-exploit/"},{"credibility":2,"name":"$1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"credibility":2,"name":"Taiko Halts Blocks After $1.7M Exploit, Urges Users to Exit Bridges — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/06/22/taiko-halts-blocks-after-1-7m-exploit-urges-users-to-exit-bridges/"},{"credibility":2,"name":"Taiko Urges Bridge Exit After Hackers Drain $1.7M — CoinMarketCap","type":"news_article","url":"https://coinmarketcap.com/academy/article/taiko-urges-bridge-exit-after-hackers-drain-dollar17m"},{"credibility":2,"name":"Ethereum Layer 2 Taiko Halts Network After $1.7M Exploit, Token Falls 11% — CoinCodex","type":"news_article","url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"},{"credibility":2,"name":"Ethereum L2 Bridge Exploit Drains $1.7M: Leaked SGX Key Defeats Taiko Trust Model — TechTimes","type":"news_article","url":"https://www.techtimes.com/articles/318886/20260623/ethereum-l2-bridge-exploit-drains-17m-leaked-sgx-key-defeats-taiko-trust-model.htm"},{"credibility":2,"name":"Ledger CTO: Private Key Leak Caused the Taiko Hack — Incrypted","type":"news_article","url":"https://incrypted.com/en/ledger-cto-private-key-leak-caused-taiko-hack/"},{"credibility":2,"name":"Taiko Rollup Confirms Bridge Exploit After Chain State Verification Compromise — CryptoWisser","type":"news_article","url":"https://www.cryptowisser.com/news/taiko-rollup-confirms-bridge-exploit-after-chain-state-verification-compromise"},{"credibility":2,"name":"Taiko Bridge Exploit: Why L2 Withdrawal UX Is Becoming a DeFi Safety Test — CryptoDaily","type":"news_article","url":"https://cryptodaily.co.uk/2026/06/taiko-bridge-exploit-l2-withdrawal-ux-defi-safety-test"},{"credibility":2,"name":"Taiko Loses $1.7M In Bridge Exploit, Suspends Block Production And Freezes Withdrawals — Metaverse Post","type":"news_article","url":"https://mpost.io/taiko-loses-1-7m-in-bridge-exploit-suspends-block-production-and-freezes-withdrawals/"},{"credibility":2,"name":"Taiko Issues Urgent Warning After Bridge Security Breach — CoinPedia","type":"news_article","url":"https://coinpedia.org/news/crypto-news-today-taiko-issues-urgent-warning-after-bridge-security-breach/"},{"credibility":1,"name":"GitHub — taikoxyz/raiko (public repository containing the Raiko multi-prover stack)","type":"official","url":"https://github.com/taikoxyz/raiko"}],"summary":"On June 22, 2026, Taiko — an Ethereum-equivalent layer-2 rollup — suffered a bridge exploit in which an attacker drained approximately $1.7 million from its L1 Bridge and ERC-20 vault by using an RSA-3072 Intel SGX signing key that had been committed in plaintext to the public taikoxyz/raiko GitHub repository. The attacker used the key to register as a legitimate prover, forge L2 state attestations, and execute fraudulent withdrawal transactions on Ethereum with no corresponding deposits on Taiko's chain. Taiko halted block production network-wide, froze affected contracts, and urged all users to exit every bridge on the network within approximately eight minutes of the attack being detected by Blockaid's monitoring system.","timeline":[{"date":"2026-06-22","event":"Attack begins: attacker uses leaked Intel SGX RSA-3072 enclave-key.pem from the public taikoxyz/raiko GitHub repository to register a rogue prover and begin submitting forged withdrawal proofs on Ethereum. Approximately $1.7 million drained from L1 Bridge and ERC20Vault contracts.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"date":"2026-06-22","event":"Blockaid's automated monitoring system detects the exploit in real time. Taiko halts block production and freezes L1 Bridge and ERC20Vault withdrawals by approximately 2:08 a.m. ET — roughly eight minutes after the attack began.","source":"SpotedCrypto","source_url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"date":"2026-06-22","event":"Taiko publicly urges all users to withdraw funds from all bridges deployed on the chain, requests centralized exchanges suspend TAIKO deposits, and activates the Security Council multisig governance body.","source":"CoinDesk / BanklessTimes","source_url":"https://www.banklesstimes.com/articles/2026/06/22/taiko-halts-blocks-after-1-7m-exploit-urges-users-to-exit-bridges/"},{"date":"2026-06-22","event":"Alleged attacker moves approximately 2 million TAIKO tokens (approximately $170,000) to a MEXC exchange account before the full freeze takes effect.","source":"Thirdweb Blog / CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"date":"2026-06-22","event":"TAIKO token price falls approximately 10–20% intraday, with multiple outlets reporting an all-time low near $0.073.","source":"CoinCodex","source_url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"},{"date":"2026-06-22","event":"Recovery pull request 21820 opened at 17:09 UTC against the v3.0.0 protocol branch with four structural fixes: checkpoint versioning, Inbox state reset, bridge-message invalidation, and QuotaManager restoration.","source":"SpotedCrypto","source_url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"date":"2026-06-23","event":"Additional security analysis published by TechTimes and other outlets confirming the SGX trust model was defeated by the plaintext key commit. Ledger CTO comments publicly attributing root cause to operational key management failure.","source":"TechTimes / Incrypted","source_url":"https://www.techtimes.com/articles/318886/20260623/ethereum-l2-bridge-exploit-drains-17m-leaked-sgx-key-defeats-taiko-trust-model.htm"}]},"v":1}