Taiko issued a security notice on X on June 22, stating that it has confirmed that Taiko’s on-chain state verification mechanism was compromised, and that all security assumptions for cross-chain bridges deployed on Taiko can no longer be relied upon. The cross-chain bridge and the treasury have been paused; both directions of the cross-chain bridge are offline, and pending transactions are in a paused state rather than lost. Blockaid monitoring shows Taiko lost over $1 million in the ERC20 Vault.
Taiko’s Emergency Response: Bridge Paused, Exchange Deposit Requests, Attacker Address Disclosed
According to Taiko’s public statement on X, the emergency measures taken include:
· Both the cross-chain bridge and the treasury have been paused; funds can no longer be withdrawn; both directions of the cross-chain bridge are offline;
· Coordinating with the security committee and ecosystem partners to control the situation and pause affected systems as much as possible;
· Urgently requesting that all centralized exchanges suspend TAIKO token deposits until an official notice is received;
· The attacker address has been disclosed;
· Taking all necessary technical and legal actions.
Taiko also stated that pending transactions are in a paused state rather than lost.
Attack Technical Mechanism Analyzed by Blockaid: Flaw in Source Signal Proof Verification
According to Blockaid’s security monitoring analysis, the technical root of this attack lies in a flaw in Taiko cross-chain bridge source signal proof verification: the constructed message proof is accepted as valid on Ethereum L1 without the corresponding legitimate MessageSent event existing on Taiko’s source chain. This allows the attacker to register and extract fraudulent cross-chain messages, thereby releasing assets from the ERC20 Vault without authorization.
PeckShield Tracked Funds Flow: $1.7 Million Loss, 1.99 Million TAIKO Transferred to MEXC
PeckShield’s on-chain monitoring shows that the total loss from the Taiko attack event is approximately $1.7 million; the attacker has transferred 1.99 million TAIKO tokens (about $1.89 hundred thousand at the time) to the MEXC exchange. Previously, Blockaid reported an initial disclosure figure of the ERC20 Vault loss exceeding $1 million.
FAQ
Will the pending transactions of Taiko’s cross-chain bridge be lost?
According to Taiko’s official statement, pending transactions are in a “paused state” rather than lost. Users’ pending withdrawals have not disappeared; they are temporarily unable to be processed until bridging is restored.
What action should users take immediately now?
In its notice, Taiko “strongly recommends that all users immediately withdraw funds from all cross-chain bridges deployed on Taiko.” Since the security committee has paused bidirectional bridge operations, the specific steps depend on subsequent official announcements. At the same time, Taiko has requested that all centralized exchanges suspend TAIKO token deposits until an official notice is received.
Has the technical vulnerability behind this attack been fixed?
According to the official notice available as of the time of reporting, Taiko said the incident has been contained, and the cross-chain bridge and treasury have been paused, but it has not yet announced that the vulnerability has been fixed or when bridging will be restored. Taiko promised to provide further updates when more information becomes available.
