TL;DR
-
Ethereum rollup Taiko confirmed a bridge exploit caused by a flaw in its message-proof verification system, leading to about $1.7 million in losses.
-
The team paused operations, disabled bridges, and is preparing a full post-mortem.
Ethereum-Based Rollup Disables Bridges After Security Incident
Ethereum-based rollup Taiko has confirmed a compromise affecting its chain state verification system, prompting an immediate security response and a warning for users to withdraw funds from all associated bridges.
In a statement shared on X, the project said the exploit rendered all bridges deployed on the protocol insecure and urged users to exit affected systems as a precaution.
⚠️ Security Notice
— Taiko.eth 🥁 (@taikoxyz) June 22, 2026
1/2: We have confirmed a compromise of Taiko’s chain state verification mechanism. As a result, the security assumptions of all bridges deployed on Taiko can no longer be relied upon.
We are actively coordinating with the Security Council and ecosystem…
“We are actively coordinating with the Security Council and ecosystem partners to contain the incident, pause affected systems where possible, and take all necessary technical and legal actions,” Taiko stated.
The team also requested that centralized exchanges suspend deposits of its native token until further notice.
Following the disclosure, Taiko confirmed that all proposers had paused block production while engineers investigated the incident.
In a subsequent update posted around 2:08 a.m. ET, the project said the exploit had been contained. It also confirmed that withdrawals through the L1 Bridge and ERC20Vault were fully disabled.
The team emphasized that containment measures had been successfully deployed, though a full investigation remains ongoing.
Attack Exploited Flaw in Bridge Proof Verification
According to Taiko, the exploit stemmed from a vulnerability in its bridge message-proof verification mechanism.
The attacker was able to submit forged message proofs that were incorrectly accepted on Ethereum Layer 1, even though no corresponding event existed on the source chain.
“As a result, fraudulent withdrawals were registered, and funds were pulled from the bridge and token vault,” the team explained.
Security firm Blockaid independently identified the issue and pointed to a failure in source-signal validation as the likely root cause.
Blockaid noted that crafted proofs were accepted as valid on Ethereum without corresponding legitimate “MessageSent” events on Taiko’s originating chain, enabling unauthorized asset withdrawals from the ERC20 vault.
Initial estimates from Blockaid placed losses at around $1 million. However, blockchain analytics firm PeckShield later revised the figure to approximately $1.7 million.
#PeckShieldAlert @taikoxyz has been exploited for ~$1.7M.
— PeckShieldAlert (@PeckShieldAlert) June 22, 2026
The exploiter has already transferred 1.99M $TAIKO (~$189.12K) to #MEXChttps://t.co/uJhqTYrqHH pic.twitter.com/Sl9kesSSUM
PeckShield also reported that the attacker moved about 1.99 million TAIKO tokens—worth roughly $169,702—into an address linked to the MEXC exchange.
Taiko has since confirmed that total losses were approximately $1.7 million prior to the protocol pause.
The team said it is preparing a full post-mortem to detail the exploit and outline future security improvements.
Taiko is an Ethereum-based “rollup,” a scaling solution that relies on Ethereum validators to sequence transactions rather than using centralized sequencers.
The project launched on mainnet in May 2024 after several years of development, beginning in 2022. It is designed to enhance Ethereum scalability while preserving decentralization principles.
Hassan Maishera