Key Highlights

  • Taiko confirmed its chain state verification mechanism was compromised, leaving all bridges on the network no longer secure, and halted all block production while coordinating with its Security Council and ecosystem partners to contain the breach.

  • Blockchain security firm PeckShield estimated total losses at $1.7 million, with Blockaid's preliminary analysis pointing to a flaw in the source-signal proof verification mechanism that allowed the attacker to forge proof data and drain assets from Taiko's ERC20 Vault on Ethereum.

  • Taiko disclosed four attacker wallet addresses, urged all centralized exchanges to immediately suspend TAIKO deposits, and strongly advised users to withdraw all funds from Taiko-deployed bridges until further notice.

Ethereum-based rollup Taiko issued an emergency security notice confirming that its chain state verification mechanism had been compromised, effective immediately rendering all bridges deployed on the Taiko network unsafe. The team said the security assumptions underlying its bridge infrastructure can no longer be relied upon and strongly advised all users to withdraw their funds from every Taiko-deployed bridge without delay. All Taiko proposers simultaneously halted production of new blocks as a containment measure, bringing the network to a standstill while the team investigates the breach with its Security Council and ecosystem partners.

Blockchain security firm Blockaid flagged the attack first, identifying that Taiko's ERC20 Vault on Ethereum had been exploited. Blockaid's preliminary analysis attributed the vulnerability to a flaw in the source-signal proof verification mechanism of Taiko's bridge, which allowed the attacker to forge or manipulate proof data and bypass the bridge's validation checks entirely. By submitting fraudulent proof data that the verification layer accepted as valid, the attacker was able to drain assets from the vault without triggering the expected security checks. PeckShield subsequently estimated total losses at approximately $1.7 million, higher than Blockaid's earlier estimate of over $1 million specifically tied to the ERC20 Vault. Taiko disclosed four attacker wallet addresses and urged centralized exchanges to suspend TAIKO deposits immediately and only re-enable them upon official notice from the project.

The Taiko incident is the latest in a long series of cross-chain bridge exploits that have made bridge infrastructure the most targeted attack surface in decentralized finance. In 2026 alone, major bridge-related breaches have hit multiple protocols including Gravity Bridge ($5.4 million), Axelar-Secret Network ($4.67 million), Hyperbridge ($2.5 million), and Alephium TokenBridge ($815,000), with the largest single exploit of the year targeting KelpDAO's LayerZero-based bridge for approximately $292 million in April. The recurring pattern of bridge exploits stems from the fundamental difficulty of verifying the state of one chain from another without introducing trust assumptions, and proof verification mechanisms — the same category of component that failed in Taiko's case — have proven particularly difficult to secure against adversarial inputs. Taiko said further updates would be provided as the investigation progresses.