Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 264Bridge Exploit

IoTeX ioTube Bridge Key Compromise

$4.3M drained from IoTeX's ioTube bridge via a validator key compromise; attacker also minted 111M CIOTX and 9.3M CCS. IoTeX pledged full user compensation.

Date
Victim
IoTeX
Chain(s)
EthereumIoTeX
Status
Partially Recovered

On February 21, 2026, the IoTeX blockchain's cross-chain bridge ioTube was drained of approximately $4.3 million after a validator key compromise gave the attacker full control over the bridge's Ethereum-side TokenSafe contract. The attacker also minted 111 million CIOTX tokens ($4M) and 9.3 million CCS tokens ($4.5M) on the chain side. The IOTX token fell 22% in the aftermath; the IoTeX Foundation committed to 100% user compensation from treasury.

What happened

ioTube was IoTeX's cross-chain bridge connecting the IoTeX blockchain to Ethereum and other EVM networks. The bridge's withdrawal authorisation depended on signatures from a validator key — compromise of this key meant full control over the bridge's reserves.

The attacker:

  1. Obtained the validator private key through a vector that was not publicly detailed (consistent with endpoint compromise of a validator-operator machine).
  2. Drained the TokenSafe contract on Ethereum of approximately $4.3M in mixed assets: USDC, USDT, IOTX, WBTC, BUSD.
  3. Used the validator authority on the IoTeX chain side to mint 111M CIOTX and 9.3M CCS tokens — wrapped IoTeX-chain representations that should have been backed 1:1 by deposits.
  4. Swapped the drained assets to ETH via Uniswap and other DEX aggregators.
  5. Bridged approximately 45 ETH to the Bitcoin network for further obfuscation.

Aftermath

  • IoTeX paused the ioTube bridge and blacklisted 29 hacker addresses on the chain side.
  • The IoTeX Foundation committed to 100% user compensation from treasury reserves.
  • Mainnet operations resumed on February 24 after security upgrades were implemented.
  • The Foundation initially offered a $440K bounty (10%) for the return of funds; the attacker did not accept publicly.
  • Some recovery occurred through coordination with exchanges that froze flagged addresses; the bulk of the funds remained laundered.

Why it matters

The IoTeX incident continues a multi-year pattern of validator-key compromises producing mid-sized bridge losses. The structural shape — small validator set, single-key authority over significant reserves, attacker pathway from key compromise to bridge drain — has recurred at:

  • Ronin (Mar 2022, $625M) — 5 of 9 validator keys.
  • Harmony (Jun 2022, $100M) — 2 of 5 validator keys.
  • Orbit Chain (Jan 2024, $82M) — 7 of 10 validator keys.
  • IoTeX (Feb 2026, $4.4M) — single validator key, smaller scale but identical pattern.

The defensive answers — larger validator sets, slashing-enforced attestation committees, multi-DVN configurations, threshold cryptography preventing single-key extraction — have been documented for years and continue to be unevenly adopted across bridge implementations.

The IoTeX Foundation's 100% compensation commitment is the increasingly standard response for projects with treasury depth — and one that's increasingly assumed by users as the baseline expectation post-Bybit. The reputational cost of a partial compensation, particularly for a chain-level project where the token's value depends on ecosystem trust, has made full compensation effectively mandatory for any project that wants to continue operating.

Sources & on-chain evidence

  1. [01]theblock.cohttps://www.theblock.co/post/390698/iotex-hit-by-private-key-exploit-draining-up-to-8-8-million-from-bridge-contracts
  2. [02]cryptotimes.iohttps://www.cryptotimes.io/2026/02/22/iotex-confirms-4-3m-iotube-bridge-breach-validator-key-compromised/
  3. [03]phemex.comhttps://phemex.com/blogs/iotex-bridge-hack-cross-chain-risk-negotiations

Related filings