@EchoProtocol_ Where's the commitment to the WBTC lenders on @Curvance that lost their WBTC due to a security problem on your end?
https://t.co/zQCChFOxsd
You have a responsibility to pay back the WBTC that was lost.
Security is a shared challenge across every DeFi platform.
We sincerely hope Aave, as a leading protocol in the lending space, can navigate through this difficult moment safely.
Echo will also continue doing its part โ contributing to the industry through our own technology and long-term commitment to safer infrastructure.
Wishing strength to the Aave team and community.
It's been over a month since this. @EchoProtocol_ still hasn't committed to repaying WBTC lenders โ here's why they should, and how:
https://t.co/rgUcWgvjXv
Earlier today, Echo Protocol identified unauthorized activity involving eBTC on Monad that resulted in unauthorized minting and associated fund loss.
Our investigation indicates the issue originated from a compromised admin key affecting the Monad deployment. Based on current findings, approximately $816K was impacted on Monad. The Monad network itself was not impacted and continues to operate normally.
Since detecting the incident, we have been actively investigating potential cross-chain exposure, coordinating with ecosystem partners, and implementing additional precautionary measures. We have successfully regained control of our admin keys and burnt the remaining 955 eBTC that was in the attackerโs possession.
13/ This is an $867K problem, not a $100+M one, and it's been over a month with no answer. @EchoProtocol_ can solve it without breaking a sweat. The only question left is whether it protects its reputation the way Sky Mavis and BitMart did, or keeps stalling and loses trust.
12/ If @EchoProtocol_ 's treasury can't cover it in cash, there are still ways to get lenders whole without touching them (1) Sell BTC or other treasury holdings (2) Raise a small emergency funding round from investors/partners, (3) apply a small pro-rata haircut to eBTC holders
1/ On May 18, @EchoProtocol_ 's admin key was compromised, letting an attacker mint 1,000 fake eBTC. 45 of which were used as collateral on @Curvance to borrow 11.29 real WBTC (~$867K) โ money that belonged to lenders who had nothing to do with eBTC's security failure. ๐งต
11/ How to actually fix it (1) @EchoProtocol publicly commits to repaying WBTC lenders 100%. (2) The 45 fake eBTC in Curvance gets destroyed (3) Echo puts real, Bitcoin-backed funds into the Curvance pool equal to what lenders are owed. (4) Curvance reopens
10/ It also drags down Monad and Curvance, through no fault of theirs. New builders and depositors weigh "is this chain/protocol safe" against headlines like this one. An unresolved shortfall on Curvance makes lenders nervous about every Curvance market.
9/ If @EchoProtocol_ doesn't commit to repay WBTC lenders the costs compound
(1) Partners evaluating eBTC see a liability
(2) Lender confidence and TVL in eBTC dry up across every chain
(3) Legal exposure grows
(4) Markets that listed eBTC as collateral become suspect
8/ It's now been over a month since the exploit, and @EchoProtocol_'s only response for affected users has been to set up a Discord ticket process to submit their information. That's an intake form, not a commitment โ there's still no announced plan to repay WBTC lenders.
7/ After the $196M BitMart hack in 2021, CEO Sheldon Xia committed BitMart's own funds to compensate every affected user, saying "no user assets will be harmed." Taking responsibility with company funds is a known, credible playbook after a key-compromise hack.
6/ After the Ronin Bridge hack in 2022, Sky Mavis raised $150M (led by Binance) plus company treasury funds to reimburse every affected user in full. Ronin reopened and remains a top NFT chain today. Full compensation protected the ecosystem
5/ And this isn't a radical ask โ there's real precedent for protocols and companies stepping up with their own funds when their security failure caused user losses, rather than letting those losses sit with blameless users:
4/ Given all of this, @EchoProtocol_ should compensate WBTC lenders in full. The fault, the compromised key, and the fraudulent mint all originate on Echo's side โ the loss should be made whole by the party responsible for it, not carried by passive lenders.
3/ WBTC lenders on @Curvance had no visibility into @EchoProtocol_ 's admin key security. They had no way to know a single compromised key could mint unlimited fake collateral โ that's exactly the kind of issuer-side risk lenders can't see or price in.
2/ This wasn't a @Curvance bug. Curvance's isolated-market design did exactly what it's supposed to do and contained the damage to one pool. The failure was 100% on Echo's side. WBTC lenders are victims of Echo's compromised key โ not their own decision.