Taiko Warns Users After $1M Vault Exploit Rocks Ethereum Bridge

Taiko, an Ethereum Layer 2 project, has warned users to withdraw funds from all bridges deployed on its network after confirming a compromise of its chain state verification mechanism.

The security assumptions behind Taiko's bridge system can no longer be relied upon, according to the notice. Blockaid, a blockchain security firm, detected an ongoing attack on Taiko's ERC20 Vault on Ethereum, putting losses at over $1 million.

The likely root cause of the compromise is a flaw in Taiko bridge source-signal proof validation, allowing crafted message proofs to be accepted as valid without corresponding legitimate 'MessageSent' events on the Taiko source chain. This enabled the attacker to register and later retrieve fraudulent bridge messages, leading to unauthorized asset releases from the ERC20 vault.

Taiko has temporarily stopped producing new blocks while it investigates and resolves the issue. The project also asked centralized exchanges to suspend TAIKO deposits immediately and will only resume deposits after an official notice.