Ethereum-based Layer 2 network Taiko has suspended block production in response to an attack on its bridge, urging users to withdraw their assets from the network’s bridges. The Taiko team disclosed that approximately $1.7 million in assets were lost before the attack was contained.
How did the attack happen?
According to information provided by Taiko, the attacker managed to exploit the bridge by fabricating cross-chain proofs, which are intended to confirm that a withdrawal on the bridge corresponds to a genuine deposit. By submitting these fake proofs, the hacker convinced Ethereum to honor withdrawal requests for assets that had no matching deposits on the Taiko side, draining funds from both the bridge and the token vault.
The Taiko team explained that fraudulent withdrawal requests were accepted on Ethereum despite their not being matched by any deposit on the Taiko chain, enabling the attacker to record illegitimate withdrawals.
Bridges like Taiko’s serve as crucial infrastructure to allow assets to move between different blockchains. In this case, the bridge facilitated the transfer of funds between the Taiko network and Ethereum.
Mini glossary: Raiko is Taiko’s proof-generation system on the Ethereum side, used to validate transactions. The signing key used by Raiko should be securely stored in protected hardware.
Key leak suspected in initial findings
Early assessments into how the attacker generated seemingly valid proofs raised concerns about a possible key leak. Security firm BlockSec’s preliminary investigation suggested that the signing key for Raiko may have been accidentally exposed publicly on GitHub.
BlockSec underscored that this signing key is meant to be kept strictly within secure hardware. If exposed, an attacker could register their own proof generators as legitimate and then use forged proofs, signed with the leaked key, to unlock real assets on Ethereum.
Bridge and withdrawals halted
Taiko promptly warned users to withdraw their funds from all network bridges and advised centralized exchanges to suspend TAIKO deposits. During the investigation, block producers were halted from generating new blocks. The team announced that as of 2:00 AM Eastern time, the attack was under control and all withdrawals via the main bridge and token vault had been halted.
It was also reported that the attacker transferred 2 million TAIKO tokens—worth about $170,000—to an account on the MEXC exchange. Launched on Ethereum in May 2024, Taiko aims to lower transaction fees and enable off-chain processing before settling transactions back onto Ethereum’s mainnet.
Broader vulnerabilities persist this year
Although the monetary loss in this incident remained limited, the attack technique mirrors a broader vulnerability trend in bridge attacks witnessed this year. Recent data shows that fake cross-chain messages facilitated the theft of $292 million from the Kelp DAO bridge in April and $11.4 million from the Verus-Ethereum bridge in May.
Throughout 2026, at least 14 separate bridge attacks have caused over $340 million in total losses. Taiko, however, emphasized that swift detection and freezing of transactions limited the damage from escalating further. The company announced it will release a detailed incident report on Monday, Asia time.
