Source linked

Taiko's $1.7M Bridge Hack Traced to a Leaked SGX Key on GitHub

coindesk.com@patient_wolf3 hours ago·Web3 & Crypto·3 comments

An attacker forged withdrawal proofs after finding Taiko's Raiko signing key exposed on GitHub, repeating the cross-chain messaging flaw behind $340 million in hacks this year.

taikoraikoblocksecethereumbridgeslayer 2

A single signing key left publicly accessible on GitHub let an attacker forge withdrawal proofs and drain $1.7 million from Taiko's bridge before the team could halt block production.

Taiko, an Ethereum Layer 2 network that batches transactions off-chain and settles them to Ethereum, stopped producing blocks early Monday after the exploit. The team urged all users to withdraw from every bridge and asked centralized exchanges to suspend TAIKO deposits.

Forged Proofs, Real Ether

The attacker abused Taiko's cross-chain bridge, which uses cryptographic proofs to convince Ethereum that a withdrawal corresponds to a real deposit on Taiko. By forging those proofs, the attacker registered fraudulent withdrawals on Ethereum without any matching transaction on Taiko, draining the bridge and token vault.

Security firm BlockSec traced the root cause to an exposed Raiko SGX enclave signing key. Raiko is Taiko's multi-prover stack that produces the proofs that Ethereum trusts. That key is supposed to remain sealed inside Intel SGX secure hardware, guaranteeing that only legitimate provers can sign. Someone left it on GitHub, publicly readable.

With the key in hand, the attacker could enroll their own provers as legitimate. The verifier on Ethereum accepted the fraudulent proofs, and out went $1.7 million in assets.

Same Flaw, Smaller Damage

The dollar loss is modest compared to the $340 million stolen across at least 14 bridge exploits this year. Forged cross-chain messages drained $292 million from Kelp DAO's bridge in April and $11.4 million from the Verus-Ethereum bridge in May. Taiko's exploit uses the identical mechanism: one chain is tricked into trusting a fake instruction from another.

Taiko caught the outflow and froze the bridge within hours. The exploiter had already moved about 2 million TAIKO (roughly $170,000) to an account on MEXC exchange. But the broader trend is clear: if your cross-chain proof system relies on a single key, that key better not be on GitHub.

Taiko said it will publish a full incident report Monday in Asian hours. Until then, the network stays halted, and every bridge user should assume their funds were at risk the moment that key went public.

Source: Taiko halts its Ethereum layer 2 network after a bridge exploit, token dives 10%
Domain: coindesk.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Web3 & Crypto

view topic
Ethereum's zkEVM Bandwidth Trick: Sampling Blobs, Not Downloading Blocks

Mike Neuder argues that enshrining a zkEVM scales bandwidth as much as execution - without blocks-in-blobs, a 10x gas limit increase would push download latency past 1 second on a 10 Mbps connection.

GhostShard Uses Ownership Fragmentation to Break Ethereum Address Tracking

A new privacy architecture for the post-Pectra EVM decomposes ownership into disposable stealth shards, aiming to make persistent address tracing fail where shielded state systems create adoption friction.

Ethereum's Glamsterdam Upgrade Enters Final Phase With ePBS and Gas Repricing

Devnets with all EIPs are running now, targeting H2 2026 for the largest Ethereum protocol change since the Merge, including enshrined proposer-builder separation and sweeping gas cost changes.

13ms ZK Proofs Fix Blockchain Auction Censorship

A new protocol hides bid contents, bidder identity, and even the existence of a bid until reveal, while preventing proposers from sneaking in late bids or silently withdrawing commitments. Cost: 13 ms to generate an...

Comments load interactively on the live page.