Taiko bridge compromise prompts users to withdraw funds

Taiko confirmed a breach of its chain-state verification, told users to withdraw funds and asked exchanges to suspend TAIKO deposits while it investigates.

Taiko, an Ethereum Layer 2 bridge network, warned users to withdraw funds after confirming a compromise of its chain-state verification mechanism and asked centralized exchanges to suspend TAIKO deposits until further notice. The project said the security assumptions for all bridges deployed on Taiko could no longer be relied upon and urged immediate withdrawals.

The vulnerability involved message-proof validation between Taiko and Ethereum L1. Security firm Blockaid reported that “crafted message proofs were accepted as valid on Ethereum L1 while the Taiko source chain lacked corresponding legitimate MessageSent events.” That gap allowed an attacker to register and retrieve fraudulent bridge messages and trigger unauthorized releases from the ERC20 vault.

On-chain records link the verification failure to asset transfers. A transaction on June 21 at 22:07:23 UTC shows 649,761.236201 USDC moving from Taiko’s ERC20 Vault to an exploiter address. Initial forensic estimates from PeckShield placed losses at about $1.7 million and noted 1.99 million TAIKO tokens, worth roughly $189,000 at the time, were moved to the MEXC exchange. Taiko later indicated total losses of roughly $2.2 million and said affected users’ funds are expected to be reimbursed from the protocol treasury.

Taiko said it is coordinating with a Security Council and ecosystem partners to contain the incident, pause affected systems where possible and pursue technical and legal remedies. The team temporarily disabled permissionless inbox proving and proposing and enforced no forced inclusions in a merged GitHub pull request. A follow-up proposal would add versioning for SignalService checkpoints so old checkpoints can be invalidated after upgrades. The code changes are intended to control which messages can be proven and accepted while investigators determine which proofs remain valid.

Because a destination chain accepted proofs that lacked corresponding source-chain events, standard bridge verification no longer guaranteed safe exits. Users were advised to test and complete withdrawals before a full public postmortem was released. Taiko asked exchanges to suspend TAIKO deposits to prevent contested inflows based on disputed bridge messages.

Further accounting and forensic work is ongoing. Taiko has said it expects to reimburse impacted users from its treasury but did not provide a complete timeline for reimbursements or for when bridge operations might resume. Until Taiko publishes which message proofs are considered valid and a full list of affected contracts and routes, the project advised withdrawing funds from all bridges deployed on its network.

Articles by this author