Taiko Bridge Drained $1.7M After SGX Signing Key Exposed on GitHub

On 22 June 2026 the Taiko bridge — which moves assets between Ethereum mainnet and Taiko's ZK-based layer-2 network — was exploited for at least $1.7 million before the team halted block production. The TAIKO token fell more than 20% in the hours that followed. Security firm BlockSec was first to identify the likely root cause: an SGX enclave signing key committed to a public GitHub repository.

How Raiko's Trust Model Was Subverted

Taiko uses a multi-prover architecture called Raiko to validate L2 state transitions. Part of Raiko's security model relies on Intel SGX — a hardware Trusted Execution Environment (TEE) — to attest that proofs were generated inside a genuine enclave. The bridge's on-chain verifier accepts withdrawal proofs only from enrolled, attested provers.

The attacker obtained the RSA private key used to sign SGX attestations — a key that BlockSec's investigation found had been left in the public taikoxyz/raiko repository on GitHub. With that key in hand, the attacker could enrol an arbitrary machine as a "legitimate" Raiko prover in the eyes of the on-chain verifier.

Forging Withdrawals That Never Happened

Cross-chain bridge security rests on one invariant: you cannot withdraw on chain A without a verified deposit on chain B. Taiko's bridge enforces this by requiring a ZK proof of the L2 state. Once the attacker controlled a prover that the verifier trusted, that invariant collapsed. They generated fraudulent L2 state attestations — asserting deposits that never occurred — and submitted the corresponding withdrawal requests on Ethereum mainnet. Funds moved out of the bridge vault with no legitimate backing on the L2 side.

Incident Response

• Block production halted immediately, limiting further exploitation once the anomaly was detected.
• Users warned to withdraw funds from all bridges deployed on Taiko; the main bridge and token vault withdrawals were subsequently frozen by the team.
• Centralized exchanges asked to suspend TAIKO token deposits to prevent the attacker laundering proceeds.
• Taiko committed to publishing a full post-mortem incident report.

The Deeper Problem: Secret Sprawl in Open-Source Crypto

SGX is a sophisticated hardware primitive. Using it correctly for bridge attestation is non-trivial engineering — and Taiko's design goal was sound. But no amount of hardware security helps if the private key that authenticates the enclave is in a public repo. This is a credential hygiene failure, not a cryptographic failure.

Open-source crypto projects are structurally exposed to this class of risk. Developer keys, test credentials, and deployment secrets regularly leak into public repositories — sometimes in initial commits, sometimes in CI configuration, sometimes buried in git history long after an apparent deletion. Automated secret-scanning (GitHub's own push protection, truffleHog, gitleaks) exists precisely to catch this, but only if teams enable and act on it.

Bridge Exploits Remain the Largest Loss Category in Web3

The Taiko incident joins a pattern that has made cross-chain bridges the single most profitable target in the Web3 ecosystem. The trust assumptions embedded in bridge designs — whether oracle-based, optimistic, or ZK-verified — create concentrated attack surfaces. When that trust is betrayed, losses are immediate and irreversible. The Taiko team's decision to halt the network quickly limited the damage to $1.7 million; in prior incidents, hesitation has cost orders of magnitude more.

The likely root cause was an exposed Raiko SGX enclave signing key on GitHub… [allowing] attackers to enroll their own provers as legitimate.

— BlockSec / Phalcon, 22 June 2026