Taiko Halts Block Production and Urges Withdrawals After Bridge Verification Flaw Drains Over $1 Million

Taiko, an Ethereum-focused Layer-2 network, warned users to withdraw funds from all bridges on its network and temporarily halted block production after confirming a compromise in its chain-state verification mechanism. Separately, blockchain security firm Blockaid said the attack had already drained more than $1 million from Taiko’s ERC20 Vault on Ethereum, according to posts on X reproduced by crypto.news in a report published at 05:39 UTC on June 22.

The project’s immediate response was sweeping. Taiko urged users to pull funds from all bridges deployed on the network, stopped proposers from producing new blocks while it investigated and asked centralized exchanges to suspend TAIKO deposits immediately until further notice. As of the reporting cited by crypto.news, Taiko had not provided a timeline for restoring bridge security or restarting block production.

Blockaid’s loss estimate and technical explanation came through public posts cited by crypto.news, not from a full Taiko post-mortem. According to crypto.news’s reproduction of Blockaid’s X post, the attack targeted Taiko’s ERC20 Vault on Ethereum and had resulted in losses of more than $1 million. Blockaid said the apparent root cause was a flaw in Taiko bridge source-signal proof validation that allowed fraudulent bridge messages to be accepted on Ethereum without corresponding legitimate events on Taiko.

Taiko’s own public notice underscored the severity of the incident. “We have confirmed a compromise of Taiko’s chain state verification mechanism. As a result, the security assumptions of all bridges deployed on Taiko can no longer be relied upon,” the project said in an X post reproduced by crypto.news.

For general readers, Taiko is an Ethereum Layer-2 network, launched on mainnet in May 2024, that is designed to work closely with Ethereum while processing activity off the main chain. Bridges are a critical part of that setup because they move assets and messages between networks. In simple terms, a bridge is supposed to release funds on one chain only after it sees valid proof that a deposit or message occurred on another. If the proof-checking mechanism fails, a bridge can be tricked into releasing assets without a legitimate corresponding event.

That is why the flaw described by Blockaid matters. In Blockaid’s words, as reproduced by crypto.news, “The root cause appears to be a flaw in Taiko bridge source-signal proof validation. Crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain.” Bridge exploits are a recurring risk in decentralized finance because they depend on getting those verification checks right.

Taiko has previously had its bridge and vault components reviewed as part of an OpenZeppelin audit in June 2024, though nothing in the reporting suggests that review identified this specific exploit. On Sunday, Taiko said it had published attacker addresses and would take “technical and legal steps where needed.”

As of early June 22, the project had not released a full incident report, a recovery plan or a timeline for resuming normal operations. For now, the clearest guidance from the network remains its own warning: users should withdraw from bridges, and exchanges should keep TAIKO deposits suspended until further notice.