Verify a decision

{"actor":"system:backfill","investigation_id":"ef51aa99-9639-4d3d-a2cb-0e03d1142485","kind":"publish","page_slug":"taiko-l2-bridge-exploit-june-2026","published_at":"2026-06-29T12:14:35.972Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Taiko L2 Bridge Exploit June 2026","sections":[{"content":"On the night of June 21–22, 2026, Taiko's cross-chain bridge infrastructure was exploited for approximately $1.7 million. The attacker registered a fraudulent prover using a leaked SGX signing key and submitted forged withdrawal proofs to Ethereum mainnet bridge contracts, releasing assets from Taiko's L1 Bridge contract (0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC) and ERC20Vault (0x996282cA11E5DEb6B5D122CC3B9A1FcAAD4415Ab) without corresponding deposits on Taiko L2. On-chain security firm Blockaid detected the attack in real time. Taiko contained the exploit by approximately 2:08 a.m. ET on June 22. The team activated its Security Council multisig, paused the bridge and token vault, halted block production, and requested centralized exchanges suspend TAIKO deposits. The TAIKO token fell approximately 10–20% following the disclosure, touching an all-time low near $0.07, with a market capitalization of roughly $14.5 million.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk: Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":1,"name":"Decrypt: Ethereum Layer-2 Taiko Warns Users to Withdraw Bridge Funds After Security Breach","type":"news_article","url":"https://decrypt.co/371769/ethereum-layer-2-taiko-warns-153103509.html"},{"credibility":2,"name":"CoinCodex: Ethereum Layer 2 Taiko Halts Network After $1.7M Exploit, Token Falls 11%","type":"news_article","url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"}]},{"content":"The primary cause of the exploit was an operational security failure: an RSA-3072 private key used for Intel SGX enclave signing — stored in a file named enclave-key.pem — had been committed to the public taikoxyz/raiko GitHub repository. Raiko is Taiko's multi-prover stack, which uses Intel SGX enclaves to generate cryptographic attestations that Taiko's L1 bridge contracts accept as proof that L2 state transitions are valid. The key should have remained sealed inside secure hardware and never been readable outside the enclave. Because the key was publicly accessible, the attacker was able to register a rogue prover whose MrSigner value — derived from the public key — matched the value stored in the on-chain verifier. The SGX hardware attestation mechanism functioned correctly but validated the wrong operator, making this a trust-model failure rather than a code vulnerability in the attestation protocol itself. Security firm BlockSec confirmed the root cause via its Phalcon monitoring platform.","heading":"Root Cause: Exposed SGX Signing Key","severity":"critical","sources":[{"credibility":2,"name":"Thirdweb: Taiko Bridge Exploit: How a Leaked Key Drained $1.7M from an Ethereum L2","type":"research","url":"https://blog.thirdweb.com/taiko-bridge-exploit-explained-how-a-leaked-key-led-to-1-7m-in-forged-withdrawals/"},{"credibility":2,"name":"SpotedCrypto: Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"credibility":2,"name":"The Defiant: Taiko Bridge Drained $1.7M After SGX Signing Key Left Exposed on GitHub","type":"news_article","url":"https://thedefiant.io/news/hacks/taiko-bridge-exploit-sgx-signing-key-github-1-7m"},{"credibility":2,"name":"CryptoTimes: $1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"}]},{"content":"The exploit unfolded in two phases. In the first phase, the attacker used the leaked enclave-key.pem to register a forged SGX prover instance and generate fake L2 state attestations. Because the on-chain verifier accepted any enclave whose MrSigner matched the stored public key, the attacker's maliciously signed enclave passed verification. In the second phase, the forged attestations enabled processMessage() calls that set withdrawal message statuses to RETRIABLE. Subsequent retryMessage() calls then executed with minimal additional checks, releasing ETH and ERC-20 tokens from bridge and vault contracts on Ethereum mainnet. The attacker submitted these withdrawal requests without any corresponding MessageSent events on Taiko's source chain, meaning no assets had ever been deposited on L2. Approximately 870 ETH (roughly $1.52 million) and 1.99 million TAIKO tokens (approximately $170,000–$189,000) were extracted. The attacker moved the TAIKO portion to an address associated with MEXC exchange.","heading":"Attack Mechanics","severity":"critical","sources":[{"credibility":2,"name":"Thirdweb: Taiko Bridge Exploit: How a Leaked Key Drained $1.7M from an Ethereum L2","type":"research","url":"https://blog.thirdweb.com/taiko-bridge-exploit-explained-how-a-leaked-key-led-to-1-7m-in-forged-withdrawals/"},{"credibility":2,"name":"CryptoTimes: $1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"credibility":2,"name":"TechTimes: Ethereum L2 Bridge Exploit Drains $1.7M: Leaked SGX Key Defeats Taiko Trust Model","type":"news_article","url":"https://www.techtimes.com/articles/318886/20260623/ethereum-l2-bridge-exploit-drains-17m-leaked-sgx-key-defeats-taiko-trust-model.htm"}]},{"content":"Two Ethereum mainnet contracts were directly drained in the exploit. The Bridge contract at address 0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC processed and released ETH-denominated messages. The ERC20Vault at address 0x996282cA11E5DEb6B5D122CC3B9A1FcAAD4415Ab released ERC-20 token balances. Both contracts were subsequently paused by Taiko's Security Council multisig to halt further outflows.","heading":"Affected Smart Contracts","severity":"critical","sources":[{"credibility":2,"name":"CryptoTimes: $1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"credibility":2,"name":"SpotedCrypto: Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"}]},{"content":"Taiko's response was rapid relative to many comparable bridge incidents. The team activated its Security Council multisig and froze both the L1 Bridge and ERC20Vault contracts, halting further outflows. Block proposers stopped producing new blocks. Taiko published the attacker's wallet addresses publicly and requested that centralized exchanges immediately suspend TAIKO deposits. South Korean exchanges Upbit and Bithumb suspended TAIKO deposits and withdrawals citing a network issue. The team also warned users against unsolicited direct messages and fraudulent recovery websites, stating: 'We'll never DM you first, and there's no claim or refund site.' Taiko's CEO filed a formal report with Singapore authorities and pledged full cooperation with investigators. The team committed that 'no user will lose funds because of this incident,' announcing the bridge would be fully recollateralized 1:1 before reopening.","heading":"Team Response and Containment","severity":"high","sources":[{"credibility":2,"name":"CryptoTimes: Taiko to Fully Restore Bridge Backing After $1.7M Hack","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/taiko-to-fully-restore-bridge-backing-after-1-7m-hack/"},{"credibility":1,"name":"Decrypt: Ethereum Layer-2 Taiko Warns Users to Withdraw Bridge Funds After Security Breach","type":"news_article","url":"https://decrypt.co/371769/ethereum-layer-2-taiko-warns-153103509.html"},{"credibility":2,"name":"MEXC: Upbit Halts TAIKO Deposits and Withdrawals Amid Network Issue","type":"official","url":"https://www.mexc.com/news/1162981"},{"credibility":2,"name":"MEXC: Bithumb Temporarily Halts TAIKO Deposits and Withdrawals Due to Mainnet Issue","type":"official","url":"https://www.mexc.com/news/1162980"}]},{"content":"On approximately June 28, 2026, Taiko published a four-step plan to restore the network. Step one involves deploying recovery pull request PR #21820 — which bundles four structural fixes — and confirming the chain's finalized state with no remaining forged checkpoints or attacker-controlled claims reachable. Step two requires full 1:1 bridge recollateralization so every L2 asset is backed by an equivalent asset on Ethereum mainnet before the bridge reopens; users can verify this backing on-chain. Step three restores transfers, swaps, and trading on L2 before the bridge fully opens, allowing the team to monitor normal chain activity under live conditions. Step four reopens the bridge for general deposits and withdrawals after the post-fix audit and Security Council multisig approval. The four fixes bundled in PR #21820 include checkpoint versioning with immutable version namespacing, an Inbox state reset via a one-time Inbox.init2() call, invalidation of three attacker message hashes by marking them DONE, and restoration of QuotaManager rate limits on bridge outflows. At the time of publication, PR #21820 remained unmerged pending Security Council sign-off.","heading":"Four-Step Restart Plan","severity":"high","sources":[{"credibility":2,"name":"crypto.news: Taiko sets four-step restart plan after June 21 bridge attack","type":"news_article","url":"https://crypto.news/taiko-sets-four-step-restart-plan-after-june-21-bridge-attack/"},{"credibility":2,"name":"cryptonews.net: Taiko sets four-step restart plan after June 21 bridge attack","type":"news_article","url":"https://cryptonews.net/news/security/33075428/"},{"credibility":2,"name":"SpotedCrypto: Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"}]},{"content":"The TAIKO token experienced significant downward pressure following the disclosure. CoinDesk reported the token slumped more than 20% since midnight UTC on June 22. CoinCodex reported an 11% decline to approximately $0.07294 in the immediate hours after disclosure. Invezz reported the token touched an all-time low during the incident. Taiko's market capitalization at the time of the exploit was approximately $14.5 million. The price drop was exacerbated by exchange-level suspensions of TAIKO deposits and withdrawals at Upbit, Bithumb, and other venues, which reduced available liquidity and market maker activity.","heading":"Token Price and Market Impact","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":2,"name":"CoinCodex: Ethereum Layer 2 Taiko Halts Network After $1.7M Exploit, Token Falls 11%","type":"news_article","url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"},{"credibility":2,"name":"AMBCrypto: Taiko token crashes 10% following $1.7mln exploit","type":"news_article","url":"https://ambcrypto.com/taiko-token-crashes-10-following-1-7mln-exploit-details/"}]},{"content":"The Taiko incident is part of a documented pattern of cross-chain bridge exploits in 2026. By mid-to-late June 2026, bridge hacks had totaled over $340 million across more than 14 separate incidents. The largest single incident was the Kelp DAO exploit in April 2026, in which approximately $292 million was drained via a compromised LayerZero DVN setup using a 1-of-1 node quorum, allegedly by North Korea's Lazarus Group. Gravity Bridge lost $5.4 million on May 30, 2026, in what was attributed to signing key compromise rather than a code flaw. Taiko's proof-forgery vector represents a distinct attack class from these prior incidents: rather than oracle manipulation or multisig compromise, it exploited the operational assumption that the trusted execution environment's signing credential would never be publicly disclosed. Security researchers have noted that bridges structurally concentrate the collateral of multiple chains into a single verification point, making any flaw in that verification — whether technical or operational — capable of draining large sums rapidly.","heading":"Broader 2026 Bridge Exploit Context","severity":"medium","sources":[{"credibility":1,"name":"Chainalysis: Inside the KelpDAO Bridge Exploit","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":1,"name":"CoinDesk: The $292 million Kelp DAO exploit shows why crypto bridges are still one of the industry's weakest links","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/21/the-usd292-million-kelp-dao-exploit-shows-why-crypto-bridges-are-still-one-of-the-industry-s-weakest-links"},{"credibility":2,"name":"CryptoTimes: Crypto Bridge Hacks Top $328M in 2026 as Cross-Chain Exploits Accelerate","type":"news_article","url":"https://www.cryptotimes.io/2026/05/18/crypto-bridge-hacks-top-328m-in-2026-as-cross-chain-exploits-accelerate/"},{"credibility":2,"name":"CryptBull: Cross-Chain Protocol Gravity Bridge Suffers $5.4 Million Attack","type":"news_article","url":"https://www.cryptbull.net/2026/05/31/cross-chain-protocol-gravity-bridge-suffers-5-4-million-attack-details/"}]},{"content":"Taiko is an Ethereum-equivalent ZK-rollup Layer-2 network. It was co-founded by Daniel Wang, former CEO of Loopring, and launched its mainnet in May 2024. Taiko uses a multi-prover model, with its Raiko stack supporting Intel SGX-based proof generation as one of multiple proof mechanisms. The protocol's bridge architecture relies on cross-chain message passing in which SGX attestations serve as trust anchors for withdrawal authorization. At the time of the exploit, TAIKO had a market capitalization of approximately $14.5 million, making it a smaller-cap L2 relative to peers. No prior major security incidents have been reported for Taiko prior to this June 2026 event.","heading":"Background: Taiko Protocol","severity":"low","sources":[{"credibility":1,"name":"Decrypt: Ethereum Layer-2 Taiko Warns Users to Withdraw Bridge Funds After Security Breach","type":"news_article","url":"https://decrypt.co/371769/ethereum-layer-2-taiko-warns-153103509.html"},{"credibility":2,"name":"Bitcoin Foundation: Taiko Hack Forces Bridge Withdrawal Warning Amid $1.7M Incident","type":"news_article","url":"https://bitcoinfoundation.org/news/blockchain-news/ethereum-l2-taiko-hack-forces-bridge-warning-amid-1-7m-exploit/"}]}],"sources_used":[{"credibility":1,"name":"CoinDesk: Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":1,"name":"Decrypt: Ethereum Layer-2 Taiko Warns Users to Withdraw Bridge Funds After Security Breach","type":"news_article","url":"https://decrypt.co/371769/ethereum-layer-2-taiko-warns-153103509.html"},{"credibility":1,"name":"Chainalysis: Inside the KelpDAO Bridge Exploit","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":1,"name":"CoinDesk: The $292 million Kelp DAO exploit shows why crypto bridges are still one of the industry's weakest links","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/21/the-usd292-million-kelp-dao-exploit-shows-why-crypto-bridges-are-still-one-of-the-industry-s-weakest-links"},{"credibility":2,"name":"Thirdweb: Taiko Bridge Exploit: How a Leaked Key Drained $1.7M from an Ethereum L2","type":"research","url":"https://blog.thirdweb.com/taiko-bridge-exploit-explained-how-a-leaked-key-led-to-1-7m-in-forged-withdrawals/"},{"credibility":2,"name":"The Defiant: Taiko Bridge Drained $1.7M After SGX Signing Key Left Exposed on GitHub","type":"news_article","url":"https://thedefiant.io/news/hacks/taiko-bridge-exploit-sgx-signing-key-github-1-7m"},{"credibility":2,"name":"SpotedCrypto: Taiko Bridge Exploit June 2026: $1.7M SGX Key Leak Explained","type":"news_article","url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"credibility":2,"name":"CryptoTimes: $1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"credibility":2,"name":"CryptoTimes: Taiko to Fully Restore Bridge Backing After $1.7M Hack","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/taiko-to-fully-restore-bridge-backing-after-1-7m-hack/"},{"credibility":2,"name":"crypto.news: Taiko sets four-step restart plan after June 21 bridge attack","type":"news_article","url":"https://crypto.news/taiko-sets-four-step-restart-plan-after-june-21-bridge-attack/"},{"credibility":2,"name":"CoinCodex: Ethereum Layer 2 Taiko Halts Network After $1.7M Exploit, Token Falls 11%","type":"news_article","url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"},{"credibility":2,"name":"TechTimes: Ethereum L2 Bridge Exploit Drains $1.7M: Leaked SGX Key Defeats Taiko Trust Model","type":"news_article","url":"https://www.techtimes.com/articles/318886/20260623/ethereum-l2-bridge-exploit-drains-17m-leaked-sgx-key-defeats-taiko-trust-model.htm"},{"credibility":2,"name":"Bitcoin Foundation: Taiko Hack Forces Bridge Withdrawal Warning Amid $1.7M Incident","type":"news_article","url":"https://bitcoinfoundation.org/news/blockchain-news/ethereum-l2-taiko-hack-forces-bridge-warning-amid-1-7m-exploit/"},{"credibility":2,"name":"AMBCrypto: Taiko token crashes 10% following $1.7mln exploit","type":"news_article","url":"https://ambcrypto.com/taiko-token-crashes-10-following-1-7mln-exploit-details/"},{"credibility":2,"name":"MEXC: Upbit Halts TAIKO Deposits and Withdrawals Amid Network Issue","type":"official","url":"https://www.mexc.com/news/1162981"},{"credibility":2,"name":"MEXC: Bithumb Temporarily Halts TAIKO Deposits and Withdrawals Due to Mainnet Issue","type":"official","url":"https://www.mexc.com/news/1162980"},{"credibility":2,"name":"CryptBull: Cross-Chain Protocol Gravity Bridge Suffers $5.4 Million Attack","type":"news_article","url":"https://www.cryptbull.net/2026/05/31/cross-chain-protocol-gravity-bridge-suffers-5-4-million-attack-details/"},{"credibility":2,"name":"CryptoTimes: Crypto Bridge Hacks Top $328M in 2026 as Cross-Chain Exploits Accelerate","type":"news_article","url":"https://www.cryptotimes.io/2026/05/18/crypto-bridge-hacks-top-328m-in-2026-as-cross-chain-exploits-accelerate/"},{"credibility":2,"name":"Taiko official X: Incident update — bridge and ERC20Vault paused","type":"social_media","url":"https://x.com/taikoxyz/status/2068953220097986953"},{"credibility":2,"name":"cryptonews.net: Taiko sets four-step restart plan after June 21 bridge attack","type":"news_article","url":"https://cryptonews.net/news/security/33075428/"}],"summary":"On June 21–22, 2026, Taiko — an Ethereum-equivalent Layer-2 rollup — suffered a bridge exploit in which an attacker drained approximately $1.7 million (roughly 870 ETH and 1.99 million TAIKO tokens) by forging cross-chain withdrawal proofs using an SGX enclave signing key that had been publicly committed to the taikoxyz/raiko GitHub repository. The team halted block production, froze bridge and ERC20Vault contracts, and pledged full 1:1 recollateralization before reopening. The incident is part of a broader 2026 pattern of bridge exploits totaling over $340 million across 14+ incidents.","timeline":[{"date":"2026-06-21","event":"Attacker begins exploiting Taiko's bridge using leaked SGX enclave signing key (enclave-key.pem) from the public taikoxyz/raiko GitHub repository to forge withdrawal proofs.","source":"SpotedCrypto, Thirdweb","source_url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"date":"2026-06-22","event":"Blockaid detects the exploit in real time. Approximately 870 ETH and 1.99 million TAIKO tokens are drained from the L1 Bridge and ERC20Vault contracts on Ethereum mainnet.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"date":"2026-06-22","event":"Attacker moves approximately 1.99 million TAIKO tokens to an address on MEXC exchange.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"date":"2026-06-22","event":"Taiko activates Security Council multisig; Bridge and ERC20Vault contracts frozen. Block production halted by proposers. Exploit contained by approximately 2:08 a.m. ET.","source":"Taiko official X account (taikoxyz)","source_url":"https://x.com/taikoxyz/status/2068953220097986953"},{"date":"2026-06-22","event":"Taiko issues public advisory urging all users to withdraw funds from every bridge on the network; requests centralized exchanges suspend TAIKO deposits.","source":"Decrypt","source_url":"https://decrypt.co/371769/ethereum-layer-2-taiko-warns-153103509.html"},{"date":"2026-06-22","event":"Upbit and Bithumb suspend TAIKO deposits and withdrawals. TAIKO token falls 10–20%, touching an all-time low near $0.07.","source":"MEXC News, CoinCodex","source_url":"https://coincodex.com/article/86299/ethereum-layer-2-taiko-halts-network-after-17m-exploit-token-falls-11/"},{"date":"2026-06-22","event":"Recovery pull request #21820 ('port hack recovery hooks to v3') opened on the taikoxyz GitHub, bundling checkpoint versioning, Inbox state reset, bridge message invalidation, and QuotaManager restoration.","source":"SpotedCrypto","source_url":"https://www.spotedcrypto.com/taiko-bridge-exploit-june-2026/"},{"date":"2026-06-25","event":"Taiko confirms that no user will lose funds and announces full 1:1 bridge recollateralization before reopening. Taiko's CEO files a formal report with Singapore authorities.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/25/taiko-to-fully-restore-bridge-backing-after-1-7m-hack/"},{"date":"2026-06-28","event":"Taiko publishes a four-step restart plan: deploy and audit fixes, recollateralize bridge 1:1, restore L2 activity, then reopen bridge under Security Council approval.","source":"crypto.news","source_url":"https://crypto.news/taiko-sets-four-step-restart-plan-after-june-21-bridge-attack/"}]},"v":1}