Taiko has closed the attack vector behind its June 21 bridge exploit and outlined a four-step restart plan to bring the network back online.
Back
Taiko sets 4-step restart plan after $1.7M bridge exploit
Taiko, an Ethereum layer-2 network, lost about $1.7 million on June 21 after an attacker forged cross-chain withdrawal proofs by exploiting a leaked Raiko SGX enclave signing key that had been committed to a public GitHub repository. The team halted block production within hours, contained the outflows, and said on June 28 that the attack path is now closed as it prepares a phased restart of the protocol.
"The root cause was an exposed Raiko SGX enclave signing key on GitHub, which allowed the attacker to enroll their own provers and sign fraudulent withdrawal proofs," BlockSec Phalcon, the security firm that traced the breach, said in its initial analysis. "This broke the entire trust model underlying Taiko's bridge."
The attacker drained funds from Taiko's L1 Bridge and ERC-20 Vault contracts by generating fake Layer 2 state attestations that Ethereum's mainnet accepted as genuine. Before the team froze activity, the exploiter moved about 2 million TAIKO tokens, worth roughly $170,000, to the MEXC exchange and still holds 870.8 ETH valued at nearly $1.52 million, according to Lookonchain data. TAIKO, which has a market capitalization of $14.5 million, has slumped more than 20% since the incident and was trading near $0.07, close to its all-time low.
The $1.7 million loss is small relative to 2026's broader bridge-exploit tally — bridges have produced more than $340 million in losses across at least 14 exploits this year, making cross-chain infrastructure the highest-value attack target in crypto, according to CoinDesk. Taiko's four-step restart plan, which the team said will be executed after a full incident report is published, aims to restore bridge functionality and resume block production with updated security controls. The protocol's Security Council, a multisig governance body, was activated to coordinate the containment and will oversee the restart process.
What the leaked key unlocked
The RSA-3072 private key used to sign Intel SGX enclaves inside Raiko, Taiko's multi-prover stack, had been committed to the publicly accessible taikoyz/raiko repository on GitHub. Intel SGX creates encrypted, isolated memory regions called enclaves inside server-class CPUs, and the security model depends on signing keys never leaving the secure hardware. Once the key was exposed, the attacker could register their own SGX prover instances as legitimate participants in the Taiko prover network, then generate fake attestations that the L1 bridge contracts accepted as valid.
Taiko, which launched its mainnet in May 2024 as one of the first "based rollups" relying on Ethereum's own validators for transaction sequencing, had mandated SGX proof for every batch of transactions. At the time of the exploit, proving was controlled by a ProverWhitelist with just one registered prover, creating a single point of failure that the leaked key exploited.
The team urged users not to bridge assets until an official all-clear is issued and said pending transactions from the incident are paused, not lost.
This article is for informational purposes only and does not constitute investment advice.
[1] Taiko sets four-step restart plan after June 21 bridge attack[2] Taiko halts its Ethereum layer 2 network after a bridge exploit, token dives 10%Taiko halts its Ethereum layer 2 network after a bridge exploit, token dives 10%[3] Taiko Exploit Adds to June Tally of Over 20 Crypto Hacks[4] Ethereum L2 Bridge Exploit Drains $1.7M: Leaked SGX Key Defeats Taiko Trust Model[5] Q2 2026 emerges as most-hacked quarter on record with 83 incidents
