Taiko Bridge Exploit Headlines a $340M Year for Bridge Hacks

Taiko Bridge Exploit Headlines a $340M Year for Bridge Hacks
Share

A signing key committed to a public GitHub repository brought down an entire Ethereum layer-2 network on June 22, 2026. The Taiko exploit drained roughly $1.7 million in hours and fits a pattern that has cost DeFi protocols more than $340 million in bridge losses this year alone.

Key Takeaways

  • Taiko halted block production on June 22, 2026 after an attacker used an exposed SGX (Secure Guard Extensions, Intel's secure hardware enclave technology) signing key to forge fraudulent cross-chain withdrawal proofs.
  • BlockSec traced the root cause to Raiko's SGX enclave signing key being left publicly accessible on GitHub, allowing the attacker to enroll as a legitimate prover.
  • Bridge exploits totaled more than $340 million across at least 14 incidents in 2026, making cross-chain bridges the costliest single attack surface in crypto this year.

What Was This Week's Biggest Security Story?

The Taiko Ethereum layer-2 network halted block production on June 22, 2026 after an attacker forged cross-chain proofs to create fake withdrawal requests. Those requests were accepted on Ethereum despite having no matching deposits on Taiko, draining the bridge and token vault of approximately $1.7 million.

The Taiko team froze withdrawals by approximately 2 a.m. ET and urged all users to withdraw from every bridge on the network. The TAIKO token, which carried a market cap of $14.5 million at the time, declined more than 20% since midnight UTC following the exploit announcement.

How Did the Attacker Get In?

The root cause is notable for its operational simplicity. BlockSec identified that the Raiko SGX enclave signing key was left publicly accessible on GitHub, even though that key is meant to remain sealed inside secure hardware and never exposed.

With the key in hand, the attacker could enroll as a legitimate prover in Taiko's proof system and sign fraudulent withdrawal proofs that the bridge accepted as genuine. The chain's own verification mechanism was working correctly; the security assumptions it rested on had already collapsed.

This is a key-management failure at its most fundamental level. No amount of cryptographic soundness in a proof system compensates for a secret that has been committed to a public code repository.

Why Does This Keep Happening to Bridges?

The Taiko incident did not happen in isolation. According to reporting this week, the same class of cross-chain messaging flaws caused the $292 million Kelp DAO bridge loss in April 2026 and an $11.4 million loss from the Verus-Ethereum bridge in May 2026. Bridge exploits have totaled more than $340 million across at least 14 incidents in 2026.

Cross-chain bridges are structurally difficult to secure because they sit at the boundary between two independent security domains. A proof that looks valid on one chain must be verified on another, often relying on off-chain intermediaries or trusted hardware to bridge that gap.

That boundary is exactly where assumptions break. When the trusted hardware's signing key ends up on GitHub, the entire chain of trust collapses regardless of how the on-chain verification logic is written.

Also Notable This Week

Polymarket fake-bet investigation: A Wall Street Journal investigation found that Polymarket paid dozens of mostly college-age creators to film fake bets on dummy websites, with roughly $1.9 million in staged wagers spread across 1,105 reviewed videos. Prediction markets (platforms where users bet on real-world outcomes) derive their signal value from genuine participation, so manufactured volume undermines the core integrity of price discovery, and Polymarket now faces lawsuits from Kentucky, Nevada, and Arizona over alleged unlicensed wagering on top of this marketing scrutiny.

Ethereum validator redirect proposal: A proposal on the Ethereum research forum would let validators redirect 0% to 10% of their annual staking rewards toward ecosystem public-goods funding via a "splitter" contract. The proposal's own authors flag that a coordinated majority of validators could raise the redirect rate and route funds to themselves, creating a governance attack surface that security researchers modeling Ethereum's consensus layer should track closely.

Bitcoin RBF signaling removal: Bitcoin developers proposed removing explicit RBF (replace-by-fee, a mechanism allowing a user to replace an unconfirmed transaction with one paying a higher fee) signaling from wallet software. Since full-RBF is now standard network policy, the opt-in flag is redundant and creates on-chain wallet fingerprints, a privacy risk for users who assume their transaction patterns are opaque.

Fake ZKSync.jp token fraud: A criminal network allegedly distributed a scam token under the name "zksync.jp," with reported losses exceeding $1 million. Token impersonation attacks rely entirely on users failing to verify contract addresses independently, a reminder that name similarity provides no on-chain guarantee of legitimacy.

Numbers That Mattered

$340 million+ lost to bridge exploits across at least 14 incidents in 2026, with Taiko's $1.7 million the latest addition to that total.

$292 million drained from the Kelp DAO bridge in April 2026, the largest single bridge incident this year and a direct precursor to the Taiko attack pattern.

70,000 ETH is the annual maximum that could be redirected under the Ethereum validator proposal if adopted at the 10% ceiling, equivalent to approximately $120 million at current market prices, against a baseline of roughly 700,000 ETH in total annual staking rewards.

$1.9 million in fake wagers staged across 1,105 influencer videos promoting Polymarket, per the Wall Street Journal's review.

What Are We Watching Next Week?

The immediate question for Taiko is whether the team can audit, patch, and restart the network with a verifiably sealed signing key, and what recovery paths exist for users who could not withdraw before the freeze. The Ethereum validator redirect proposal remains at the discussion stage with no formal vote scheduled, but the cartelization risk it surfaces is worth watching for anyone modeling governance attack surfaces on Ethereum. More broadly, fourteen bridge incidents in roughly six months raises the question of whether any coordinated industry response to cross-chain key-management standards is forming.

Frequently Asked Questions

What was the root cause of the Taiko bridge exploit on June 22, 2026? BlockSec identified that the Raiko SGX enclave signing key was left publicly accessible on GitHub. That key is designed to remain sealed inside secure hardware. With the key exposed, the attacker could enroll as a legitimate prover and sign fraudulent cross-chain withdrawal proofs that the bridge accepted without question.

How much have bridge exploits cost DeFi protocols in 2026? More than $340 million across at least 14 incidents. The three largest were the $292 million Kelp DAO bridge loss in April 2026, the $11.4 million Verus-Ethereum bridge loss in May 2026, and the Taiko exploit of approximately $1.7 million on June 22, 2026.

What is the cartelization risk in the Ethereum validator redirect proposal? The proposal allows a coordinated majority of validators to raise the redirect rate above what individual validators would voluntarily choose and route those funds to themselves or favored recipients. Because the "splitter" contract distributes funds based on validators' stated preferences, a controlling coalition could redirect a meaningful slice of the roughly 700,000 ETH distributed annually in staking rewards. The proposal's authors explicitly flag this as an open risk.

Why does the Polymarket fake-bet campaign matter beyond marketing ethics? Prediction markets are only useful if their volume reflects genuine trader activity. Staged bets inflate apparent liquidity and distort the price signals that users rely on when placing real wagers. Polymarket is also navigating CFTC approval for U.S. market re-entry while facing active state lawsuits, so the credibility of its platform activity is now a live legal question, not just a reputational one.

What does removing Bitcoin RBF signaling mean in practice? It removes an on-chain flag that identifies which wallet software generated a transaction, eliminating a fingerprint that harms user privacy. The underlying behavior does not change because full-RBF is already standard network policy. Developers are coordinating on a shared default input sequence number, likely MAX-2 (already used by roughly 75% of transactions), so outputs from different wallets become harder to distinguish from one another.

Community members

[ Our community ]

[ Community hires ]