Taiko has urged users to withdraw assets from its bridges after an exploit on the network’s bridge infrastructure reportedly drained funds from its ERC20 vault. Reporting places the loss between at least $1 million and as much as $1.7 million, though the final confirmed figure remains unsettled.
The incident centers on Taiko’s bridge message validation flow, according to security firm Blockaid. Its analysis said the attacker exploited a flaw in source-signal proof validation, allowing forged bridge messages to be accepted on Ethereum without matching legitimate MessageSent events on the Taiko source chain.
⚠️ Security Notice
We have confirmed a compromise of Taiko’s chain state verification mechanism. As a result, the security assumptions of all bridges deployed on Taiko can no longer be relied upon.
We are actively coordinating with the Security Council and ecosystem partners to…
— Taiko.eth 🥁 (@taikoxyz) June 22, 2026
Forged Messages Trigger Unauthorized Releases
Blockaid said the weakness allowed an attacker to register and later retrieve fraudulent bridge messages. Once accepted by the destination-side logic, those messages could trigger unauthorized releases of assets from the bridge vault.
The root cause appears to be a flaw in Taiko bridge source-signal proof validation. Crafted message proofs were accepted as valid on Ethereum L1 without corresponding legitimate MessageSent events on the Taiko source chain.
This allowed the attacker to register and later…
— Blockaid (@blockaid_) June 21, 2026
Blockaid reportedly estimated at least $1 million in stolen assets, while other trackers and security researchers placed the figure closer to $1.7 million.
Taiko reportedly paused affected systems and began coordinating with partners to contain the incident. The project’s warning to withdraw funds indicates the bridge compromise was treated as an active infrastructure risk while the assessment continued.
It remains unclear whether the affected flows were limited to the ERC20 vault or whether additional bridge components were exposed. Further technical disclosure will be needed to confirm the full blast radius.
Bridge Security Assumptions Come Under Pressure Again
The exploit adds to a long-running pattern of cross-chain infrastructure incidents. Bridges remain attractive targets because they often hold pooled assets while relying on message verification systems that must correctly validate activity across multiple environments.
In this case, the reported vulnerability was not a simple private-key theft. The issue appears tied to proof validation and message acceptance logic, making it a protocol-level concern for bridge infrastructure.
For users, the immediate risk is practical. When a bridge operator tells users to withdraw, it usually means normal assumptions around asset custody, withdrawal safety or vault integrity may no longer hold until the issue is contained.
For developers and security teams, the incident reinforces the importance of testing failure cases where destination chains accept messages without valid source-chain events. These edge cases can become critical attack paths in cross-domain systems.
For now, the confirmed takeaway is narrow but serious: Taiko has warned users to withdraw from its bridges, Blockaid has identified a source-signal proof validation flaw, and the estimated loss remains between at least $1 million and roughly $1.7 million pending final confirmation.