A high-stakes bridge exploit over the weekend looked dramatic on-chain — but ultimately netted the attacker only pocket change.
What happened
- An attacker abused a flaw in Hyperbridge’s cross-chain gateway on Ethereum to mint 1 billion bridged Polkadot (DOT) tokens — a nominal supply worth about $1.19 billion at market price.
- Instead of walking away with a blockbuster haul, the attacker swapped the fake supply into ETH and extracted roughly $237,000 (commonly reported as roughly $250k), receiving about 108.2 ETH across multiple trades.
How the exploit worked
- The bug lived in Hyperbridge’s EthereumHost → TokenGateway message path. Bridges accept cross-chain messages and then update token contracts on destination chains; that gives them admin-level control if message validation fails.
- On this call path, the bridge’s receipt check used an all-zero commitment value, indicating the usual proof validation was either missing or bypassed. The forged message was processed as valid.
- The message triggered changeAdmin on the bridged DOT contract, handing admin privileges to the attacker. With admin control the attacker minted 1 billion bridged DOT in a single transaction and routed the tokens through Odos Router V3 into a Uniswap V4 DOT–ETH pool to cash out.
- Limited liquidity in the bridged DOT pool on Ethereum caused the huge sell to crash the price, capping the attacker’s proceeds at a few hundred thousand dollars. By contrast, the same vulnerability exploited against a deeper pool or higher-value bridged asset could have caused far larger losses.
Scope and impact
- This attack affected only the bridged DOT contract on Ethereum and Hyperbridge’s gateway — Polkadot’s native network and the native DOT token were not compromised.
- CertiK flagged the incident and confirmed the bridge gateway as the attack vector and the attacker’s profit at roughly $237k.
- Hyperbridge has not issued a public comment or disclosed whether other tokens using the same gateway are vulnerable.
Broader context
- Bridges continue to be one of the riskiest pieces of cross-chain infrastructure because they hold the power to mint or move assets on destination chains when validation is flawed.
- The exploit adds to a string of bridge and cross-chain incidents in 2026, following events such as the $270 million Drift Protocol drain on Solana and other attacks involving compromised infrastructure or social engineering.
Takeaway
- The event is a reminder that message validation and end-to-end proof checks are critical for bridge security. While this attack produced an unusually small payday because of poor liquidity, the underlying vulnerability could have enabled far larger thefts had it targeted a deeper market or higher-value bridged asset. Hyperbridge’s silence leaves outstanding questions about exposure of other bridged tokens.
Read more AI-generated news on: undefined/news
