TL;DR
- Taiko urged users to withdraw from all bridges after a chain state verification compromise enabled unauthorized bridge withdrawals.
- Attackers used forged withdrawal proofs or messages that were accepted on Ethereum without matching legitimate activity on Taiko, draining up to $1.7 million.
- Taiko paused affected systems, halted withdrawals and asked exchanges to suspend TAIKO deposits while broader 2026 bridge losses already exceed $340 million across major reported exploits.
Taiko’s bridge emergency has turned a familiar cross-chain fear into an immediate user warning, after attackers drained up to $1.7 million through unauthorized withdrawals tied to its Ethereum bridge infrastructure. The Ethereum layer-2 project urged users to withdraw assets from all bridges deployed on Taiko, saying a compromise in chain state verification meant bridge security assumptions could no longer be trusted. The unsettling lesson is that one proof-validation failure can threaten an entire bridge stack, even when the absolute dollar loss remains modest by DeFi exploit standards.
⚠️ Security Notice
We have confirmed a compromise of Taiko’s chain state verification mechanism. As a result, the security assumptions of all bridges deployed on Taiko can no longer be relied upon.
We are actively coordinating with the Security Council and ecosystem partners to…
— Taiko.eth 🥁 (@taikoxyz) June 22, 2026
The exploit targeted Taiko’s bridge and ERC20 vault on Ethereum by accepting forged withdrawal proofs that appeared valid without matching legitimate activity on Taiko’s source chain. Security analyses described fraudulent bridge messages being registered and later retrieved, releasing real assets from the vault. Taiko paused affected systems, halted withdrawals through the main bridge and token vault, and asked centralized exchanges to suspend TAIKO deposits while block producers stopped producing new blocks during the investigation. That makes containment the first priority, because once forged cross-chain messages pass verification, speed matters more than cleanup messaging.
The root cause appears to be a flaw in Taiko bridge source-signal proof validation. Crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain.
This allowed the attacker to register and later…
— Blockaid (@blockaid_) June 21, 2026
Forged Proofs Expose Bridge Fragility Again
Early security reviews pointed to a source-signal validation flaw, while another investigation suggested an exposed Raiko SGX enclave signing key may have allowed attackers to enroll provers and sign fraudulent proofs. Taiko has not yet published its full incident report, so the final root-cause wording still matters. Even so, the operating pattern is clear: fake withdrawal requests were accepted on Ethereum without corresponding deposits or messages on Taiko. In practical terms, the exploit attacked trust between chains, not a simple wallet mistake or isolated token contract bug.
The market impact arrived quickly. Taiko estimated losses around $1.7 million before containing outflows, while other trackers placed stolen assets between at least $1 million and $1.7 million. The TAIKO token fell more than 20% after the incident, and exploiter-linked funds included roughly 2 million TAIKO moved to MEXC plus wallets holding about $1.5 million, mostly in ETH. The broader concern is larger than Taiko. Bridges have already produced more than $340 million in losses across at least 14 exploits this year, including Kelp DAO and Verus-Ethereum incidents. For users, Taiko’s warning is another reminder that bridges remain DeFi’s weakest connective tissue across protocol operations today.
