Advertisement

Taiko Bridge Drained $1.7M After SGX Signing Key Left Exposed on GitHub

An attacker forged withdrawal proofs using an RSA-3072 private key accidentally committed to Taiko’s public raiko GitHub repository, draining $1.7 million from L1 bridge contracts and forcing the protocol to halt block production and urge all users to exit.
By: The Defiant Team
Taiko Bridge Drained $1.7M After SGX Signing Key Left Exposed on GitHub

Taiko's L2 bridge went dark early Sunday after an attacker used a signing key that had been left publicly exposed in the protocol's GitHub repository to forge withdrawal proofs and drain roughly $1.7 million from bridge contracts on Ethereum mainnet.

The team urged all users to exit every bridge deployed on Taiko immediately after activating its Security Council multisig to pause withdrawals and halt block production. The incident occurred early in the morning on June 22, according to Blockaid, the onchain security firm that detected the attack in real time. PeckShield later estimated losses at approximately $1.7 million, with the attacker moving around 1.99 million TAIKO tokens to the MEXC exchange before the freeze landed.

Leaked Key, Forged Proof

The root cause was operational. An RSA-3072 private key for Raiko, Taiko's multi-prover stack, had been committed as a file called `enclave-key.pem` to the public `taikoxyz/raiko` repository on GitHub. Raiko uses Intel SGX enclaves to generate cryptographic attestations that Taiko's L1 bridge contracts accept as proof that L2 state transitions are valid. With the key publicly accessible, the attacker enrolled their own SGX prover and signed fraudulent L2 state attestations that the on-chain verifier treated as legitimate.

The attack unfolded in two steps. First, the attacker used the leaked `enclave-key.pem` to register a rogue prover, which the bridge accepted because its `MrSigner` verification derived from the same public key. Second, the forged attestations enabled `processMessage()` calls that set withdrawal statuses to `RETRIABLE`. The subsequent `retryMessage()` calls executed with minimal additional checks, releasing funds from both the L1 Bridge contract and the ERC20Vault on Ethereum.

Blockaid's postmortem framing captured the core flaw: "Crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain," enabling the attacker to "register and later retrieve fraudulent bridge messages, resulting in unauthorized asset releases from the ERC20 vault," Blockaid wrote.

Bridge Paused, Chain Halted

Taiko's Security Council paused the bridge and ERC20Vault contracts and asked centralized exchanges to suspend TAIKO deposits. South Korean exchanges Upbit and Bithumb, along with KuCoin, moved first to halt TAIKO withdrawals and deposits. At current prices, TAIKO trades around $0.069.

The protocol published the attacker's wallet addresses and said affected users would be reimbursed from the protocol treasury. In an end-of-day update, Taiko confirmed it had identified the root cause and that "the remaining funds in the bridge are safe," per the team's statement.

Recovery required a coordinated protocol upgrade. Four pull requests labeled `respond-to-hack` were merged into Taiko's codebase within 24 hours. The master fix, PR #21820, is described as "port hack recovery hooks to v3" and addresses the signing infrastructure changes needed to bring the bridge back online safely.

Exit Risk is Structural

The Taiko incident sharpens a concern that predates the protocol. In rollup architecture, a user's ability to withdraw assets from L2 to Ethereum depends on functional bridge prover infrastructure. When that infrastructure is compromised, users cannot exit independently, regardless of how secure their own L2 positions are.

Taiko is a Type 1 ZK-EVM based rollup, meaning sequencing is delegated to Ethereum validators and it runs without a centralized sequencer. That design choice adds censorship resistance at the sequencing layer but does not protect against a prover compromise. The multi-prover architecture in Raiko, which combines SGX attestation with ZK backends including SP1 and RISC0, was intended to require simultaneous defeats of independent proof systems. The operational failure, a key exposed in a public repository, bypassed that layered design entirely.

The episode arrives in a dense stretch of bridge losses. PeckShield documented $340.7 million across 14 cross-chain bridge exploits in 2026, a list that now includes the $11.58 million Verus-Ethereum bridge drain in May and the $4.67 million Axelar infinite-mint exploit against Secret Network. The pattern is different in each case, but the shared failure mode is access control over the infrastructure layer that L1 contracts trust to validate L2 state.

Taiko's incident is distinct from the Aztec V4 withdrawal situation the Defiant reported last week, where users were given a deadline to exit before a protocol upgrade would expose a proving-system vulnerability. Both cases end in the same user imperative: move funds before the bridge closes. The mechanism differs. Aztec's risk was a scheduled disclosure; Taiko's was an active drain.

A full post-mortem from Taiko has not yet been published. The Security Council multisig approval of the recovery upgrade is required before the chain comes back online.

Advertisement

Get an edge in Crypto with our free daily newsletter

Know what matters in Crypto and Web3 with The Defiant Daily newsletter, Mon to Fri

90k+ Defiers informed every day. Unsubscribe anytime.