TAIKO fell roughly 10% Monday after an attacker drained approximately $1.7 million from Taiko's bridge, forcing the Ethereum layer 2 network to halt block production and urge users to withdraw funds.

What Happened

Bridges work by confirming that a withdrawal on Ethereum matches a real deposit on the other chain. The attacker exploited that mechanism directly - forging proofs, registering fraudulent withdrawals, and draining funds from the bridge and its token vault before the team could freeze activity.

Security firm BlockSec traced the likely root cause to a signing key for Raiko - the system Taiko uses to generate cryptographic proofs that convince Ethereum its transactions are legitimate - being left publicly accessible on GitHub. That key is supposed to stay sealed inside secure hardware. With it exposed, the attacker could enroll rogue provers as legitimate, sign fraudulent proofs Taiko's verifier would accept, and then trigger bridge withdrawals that released real assets on Ethereum.

Taiko confirmed the chain state verification mechanism was compromised, stating that "the security assumptions of all bridges deployed on Taiko can no longer be relied upon" while it coordinated with its Security Council and ecosystem partners.

Containment and Response

By approximately 2 a.m. ET, Taiko said the exploit was contained and withdrawals through the main bridge and token vault were fully stopped. The team also asked centralized exchanges to suspend TAIKO deposits.

The attacker had already moved about 2 million TAIKO - worth roughly $170,000 - to an account on the MEXC exchange before the freeze. Taiko said it will publish a full incident report in Asian morning hours Monday.

A Familiar Flaw

The dollar loss is relatively modest. The underlying vulnerability is not. Cross-chain messaging exploits have accounted for more than $340 million in bridge hacks across at least 14 incidents in 2026, making bridges the costliest attack surface in crypto this year. Forged cross-chain messages drained $292 million from Kelp DAO's bridge in April and $11.4 million from the Verus-Ethereum bridge in May - both cases of one chain being tricked into trusting a fake instruction from another.

Taiko's damage stayed contained primarily because the team identified and froze the exploit within hours. In larger incidents, delays of even a few additional hours have multiplied losses dramatically.

What to Watch Next

The key open questions are the scope of the incident report due Monday and whether any additional bridge contracts remain at risk before a full audit. Taiko launched on Ethereum in May 2024, making this its first major security incident.

The 10% token move reflects immediate market repricing of protocol risk - a pattern consistent with prior L2 and bridge exploits. Recovery will likely hinge on how credibly and quickly the team addresses the key management failure, and whether any user funds go unreimbursed.

Broader Ethereum layer 2 tokens were not materially affected, consistent with the event being contained to Taiko's own protocol infrastructure rather than any systemic issue in the Ethereum ecosystem itself.