Crypto users told to pull funds after Ethereum L2 bridge failure exposes rollup exit risk
Taiko warned that a compromise in its chain-state verification mechanism meant the security assumptions for all bridges on Taiko could no longer be trusted, and users should withdraw funds immediately. It also asked centralized exchanges to suspend TAIKO deposits until further notice. Blockaid said the flaw involved forged message proofs being accepted on Ethereum L1 even when the Taiko source chain had no valid MessageSent event, letting an attacker register and later redeem fraudulent bridge messages and drain ERC20 vault funds. Taiko’s follow-up matched that account. On-chain evidence showed 649,761.236201 USDC moved from Taiko’s ERC20 Vault to an exploiter address. Loss estimates later rose from about $1.7 million to roughly $2.2 million, with Taiko saying affected users should be reimbursed from the protocol treasury. The incident shifted attention to proof validation, vault controls, and which bridge messages can still be trusted.
