Safety agency BlockSec stated its preliminary investigation traced the seemingly trigger to a signing key for Raiko, which Taiko makes use of to supply proofs indicating a transaction is real, that was left publicly accessible on GitHub.
The hot button is meant to remain sealed inside safe {hardware} so the proofs might be trusted. If it is uncovered, attackers can enroll their very own provers as legit and signal fraudulent proofs that Taiko’s verifier accepted, then faux a bridge withdrawal that releases actual belongings on Ethereum.
.@taikoxyz was reportedly attacked, with losses exceeding $1.7M. Our preliminary investigation suggests the seemingly root trigger was an uncovered Raiko SGX enclave signing key on GitHub. Raiko is Taiko’s multi-prover stack for Taiko and Ethereum blocks, so an uncovered Raiko SGX enclave key… pic.twitter.com/eAq9Xjngz8
— BlockSec Phalcon (@Phalcon_xyz) June 22, 2026
Taiko urged all customers to withdraw from each bridge on the community, requested centralized exchanges to droop deposits of its TAIKO token, and had its block producers cease making new blocks through the investigation.
By about 2 a.m. ET Taiko stated the exploit had been contained and that withdrawals by means of the primary bridge and token vault halted. The exploiter had already moved about 2 million TAIKO, value roughly $170,000, to an account on the MEXC change.
The greenback loss is small, however the flaw got here from the identical DeFi mechanism that has triggered a whole lot of tens of millions value of losses this yr.
Solid cross-chain messages drained $292 million from Kelp DAO’s bridge in April and $11.4 million from the Verus-Ethereum bridge in Could. Bridges have produced greater than $340 million in losses throughout not less than 14 exploits in 2026, making it the most costly goal in crypto. Taiko’s harm stayed contained primarily as a result of the staff caught and froze it inside hours.
