Security firm BlockSec said its initial investigation traced the likely cause to a signing key for Raiko, which Taiko uses to produce proofs indicating a transaction is genuine, that was left publicly accessible on GitHub.
The key is meant to stay sealed inside secure hardware so the proofs can be trusted. If it’s exposed, attackers can enroll their own provers as legitimate and sign fraudulent proofs that Taiko’s verifier accepted, then fake a bridge withdrawal that releases real assets on Ethereum.
.@taikoxyz was reportedly attacked, with losses exceeding $1.7M. Our initial investigation suggests the likely root cause was an exposed Raiko SGX enclave signing key on GitHub. Raiko is Taiko’s multi-prover stack for Taiko and Ethereum blocks, so an exposed Raiko SGX enclave key… https://t.co/8BIiEeNtYJ pic.twitter.com/eAq9Xjngz8
— BlockSec Phalcon (@Phalcon_xyz) June 22, 2026
Taiko urged all users to withdraw from every bridge on the network, asked centralized exchanges to suspend deposits of its TAIKO token, and had its block producers stop making new blocks during the investigation.
By about 2 a.m. ET Taiko said the exploit had been contained and that withdrawals through the main bridge and token vault halted. The exploiter had already moved about 2 million TAIKO, worth roughly $170,000, to an account on the MEXC exchange.
The dollar loss is small, but the flaw came from the same DeFi mechanism that has caused hundreds of millions worth of losses this year.
Forged cross-chain messages drained $292 million from Kelp DAO’s bridge in April and $11.4 million from the Verus-Ethereum bridge in May. Bridges have produced more than $340 million in losses across at least 14 exploits in 2026, making it the costliest target in crypto. Taiko’s damage stayed contained mainly because the team caught and froze it within hours.
