Polkadot-Ethereum Hyperbridge exploit mints 1B fake DOT, but thin liquidity limits attacker haul to about $237K while exposing deep cross-chain verification flaws.
Summary
- Hyperbridge cross-chain gateway is exploited to mint 1 billion fake DOT-equivalent tokens on Ethereum.
- Attacker gains admin rights via forged cross-chain message and cashes out roughly $237,000.
- Incident highlights structural failures in bridge verification, echoing other 2026 cross-chain hacks.
An attacker exploited the Hyperbridge cross-chain gateway linking Polkadot to Ethereum to gain administrative control over a DOT-linked token contract and mint roughly 1 billion fake DOT-equivalent tokens, ultimately extracting about $237,000 in ether. The breach, disclosed on April 13, hinged on a forged cross-chain message that bypassed state-proof verification and reassigned the contract admin, exposing a deep failure in how the bridge validated messages that should have been gated by multi-signature or on-chain checks.
According to blockchain security firm CertiK, “the attacker slipped through a forged message to change the admin of Polkadot token contract on Ethereum and profited ~$237K from minting and selling 1B tokens,” turning a single validation lapse into near‑infinite minting power. AMBCrypto reported that the attacker used Hyperbridge’s Interoperable State Machine Protocol to “bypass state-proof verification within the smart contract,” then dumped a small fraction of the 1 billion phantom tokens into available liquidity pools.
Intellectia.AI noted that the attacker exploited “a vulnerability in the Hyperbridge gateway smart contract on Ethereum, creating 1 billion unauthorized DOT tokens through message forgery,” and then liquidated the position in a single transaction for around $237,000, or roughly 108.2 ETH at current prices. Crucially, the damage was limited by thin liquidity: the fake supply nuked the price of the bridged DOT representation rather than the underlying Polkadot network, which remained technically unaffected.
Polkadot’s native DOT, which trades near $1.20, saw a modest spillover as market participants digested yet another reminder that bridges, not base layers, are often the weakest links in multi-chain architecture. As one recap on TradingView put it, the episode “shook confidence in Polkadot’s cross-chain ecosystem” precisely because the exploited component branded itself as critical infrastructure rather than an experimental side project.
The Hyperbridge hack lands in a year already marked by repeated bridge failures, including a $3 million CrossCurve exploit and an Aethir bridge incident that still managed to keep user losses below $90,000 after rapid containment, as covered in a previous crypto.news story. Together, these incidents underscore that any cross-chain design that centralizes admin authority in a single contract or small committee remains an attractive target, with attackers repeatedly using forged messages to unlock or mint assets far beyond what their actual collateral should allow.
Be the first to comment