While crypto breaches are fairly common, it’s unusual for attackers to gamble big and end up with such a small payoff—a scenario that played out on Sunday.
An attacker took advantage of a flaw in Hyperbridge’s cross-chain gateway—which links multiple blockchains—to mint 1 billion Polkadot tokens (worth about $1.19 billion) on Ethereum in a single transaction, later offloading them for roughly $237,000 in ether.
How The Incident Played Out
The vulnerability was located in how Hyperbridge’s EthereumHost contract verifies incoming cross-chain messages before forwarding them to the TokenGateway.
Onchain Lens flagged the incident, noting that control was transferred to the attacker’s contract before the tokens were minted and sold — triggering a collapse in the price of bridged Polkadot from $1.22 to mere fractions of a cent.
However, the limited liquidity in the Ethereum bridged Polkadot pool was quickly overwhelmed by the 1 billion minted tokens, ultimately reducing the attacker’s gains to just 108.2 Ethereum—worth around $237,000 after the swap.
 
In response, Polkadot stated in a post on X that the exploit is limited to DOT bridged to Ethereum via Hyperbridge, and does not impact the broader Polkadot ecosystem or DOT bridged through other platforms.
Polkadot added that Hyperbridge has been paused while the issue is under investigation. Contributor “Web3 Philosopher” said the initial assessment suggested a malicious proof that managed to deceive the protocol’s Merkle tree verification system.
South Korean crypto exchanges Upbit and Bithumb have temporarily halted Polkadot deposits and withdrawals, citing indications of a security incident in their official notices.
Meanwhile, Polkadot’s native token, DOT, was trading at $1.18 as of publication time, after briefly dropping to a daily low of $1.16 following the incident, CoinGecko data shows.
The Sunday incident adds to a rising wave of bridge-related exploits in 2026. As ZyCrypto reported last month, Drift Protocol suffered a $270 million drain on Solana. While that case was driven by social engineering rather than a code exploit, it further underscored that compromised infrastructure remains a major attack vector.
Be the first to comment