Taiko bridge failure forces users to withdraw funds

Taiko, an Ethereum Layer-2 rollup, confirmed a compromise of its chain-state verification and instructed users to withdraw funds from all bridges immediately. The network also asked centralized exchanges to suspend TAIKO deposits until it issues an official notice.

On-chain records and Taiko’s advisory attribute the incident to forged message proofs accepted on Ethereum mainnet (L1) without matching MessageSent events on the Taiko source chain. That discrepancy created a risk that destination contracts could release assets based on fraudulent messages.

An Etherscan transaction shows 649,761.236201 USDC moved from a Taiko ERC20 vault to an exploiter address on June 21 at 22:07:23 UTC. Early forensic estimates put moved funds at roughly $1.7 million; Taiko later indicated total losses of about $2.2 million. The project expects affected users’ funds to be reimbursed from the protocol treasury.

Technical analysis identified a failure in source-signal proof validation. Crafted message proofs were accepted on Ethereum L1 even though the Taiko source chain did not record corresponding events. That gap allowed an attacker to register and later retrieve fraudulent bridge messages, triggering unauthorized releases from bridge and ERC20 vault contracts.

Taiko is coordinating with its Security Council and ecosystem partners to contain the incident, pause affected systems where possible, and pursue technical and legal remedies. Developers merged a code change that temporarily disables permissionless inbox proving and proposing and enforces no forced inclusions. A separate proposal would add versioning for SignalService checkpoints so older checkpoints can be invalidated after changes.

The network requested exchanges halt TAIKO deposits to prevent disputed tokens from entering centralized platforms while message validity is investigated. Taiko said it will publish further updates identifying which contracts and bridge routes were affected and explaining how message proofs will be handled going forward.

A bridge moves assets between chains by presenting a proof that a source-chain event occurred. If a destination chain accepts a proof that does not correspond to a genuine source event, the destination can release assets as if a legitimate transfer or withdrawal had taken place. For users, that can mean missing balances, interrupted deposit and withdrawal routes, or unexpected withdrawals.

Forensic numbers are preliminary and under active investigation. Taiko’s advisory and the observed vault transfer led the project to prioritize immediate withdrawals while developers and security partners complete accounting and remediation.