Ethereum L2 Taiko Halts Operations After Bridge Exploit Drains $1.7M

Ethereum Layer 2 network Taiko has halted block production and advised users to withdraw funds after an attacker exploited its bridge, resulting in an estimated loss of $1.7 million. The exploit involved the attacker forging cross-chain proofs, enabling fraudulent withdrawals on Ethereum without corresponding deposits on Taiko's chain. This allowed the attacker to drain funds from the bridge and its token vault.

Security firm BlockSec indicated that the likely cause was an exposed signing key for Raiko, Taiko's proof-generation system, which was found publicly accessible on GitHub. This key is intended to be kept secure to ensure the trustworthiness of proofs submitted to Ethereum. With the key compromised, the attacker could enroll as a legitimate prover and submit fraudulent proofs, leading to the fake withdrawal of assets.

While the dollar amount of the loss is relatively small, the exploit utilized a cross-chain messaging flaw similar to those behind other significant bridge hacks this year, which have collectively caused over $340 million in losses. Taiko's team managed to contain the exploit and freeze outflows within hours. The protocol, which launched its mainnet in May 2024, is preparing a detailed incident report.