Roughly $815,000 in digital assets moves out of the Alephium TokenBridge on Ethereum and into a single wallet address in barely 7 minutes.
No flash loan. No smart contract exploit. Just three compromised keys and a bridge architecture that hands full authority to whoever holds them.
How the attack unfolds:
According to Blockaid monitoring, the attacker gains access to three out of four guardian keys securing Alephium’s private Wormhole fork and uses them to sign six forged Verified Action Approvals, VAAs, the signed messages that authorize cross-chain transfers on Wormhole-based bridges.
🚨Blockaid detected an exploit targeting the Alephium TokenBridge on Ethereum.
~$815K drained in ~7 minutes via 3-of-4 compromised guardian keys signing forged VAAs. 13.76M wrapped ALPH minted (>100% of prior supply) + USDT/USDC/WBTC/WETH unlocked from custody.
More details in…
— Blockaid (@blockaid_) May 30, 2026
With those forged VAAs in hand, the attacker calls the `completeTransfer` function on the TokenBridge proxy contract. The contract does exactly what it is supposed to do: it verifies the signatures, finds them valid, and releases the assets.
The result is immediate. Frozen USDT, USDC, WBTC, and WETH are unlocked from the custody contract and transferred to the attacker. Simultaneously, 13.76 million wrapped ALPH tokens are minted directly into the attacker’s wallet, out of thin air, with no collateral backing them whatsoever. That figure represents more than 100% of the prior wrapped ALPH supply on Ethereum. The entire operation completes in roughly seven minutes.
As of the time of writing, the attacker’s address still holds the stolen assets, approximately $815,000 in mixed tokens plus the 13.76 million uncollateralized wrapped ALPH.
The Architecture That Made it Possible
To understand why this works, the structure of Alephium’s bridge matters. The project runs a private fork of the Wormhole protocol, but with a critically small guardian set of just four validators. Wormhole’s quorum formula means the minimum number of signatures required to authorize a VAA scales with the number of guardians. With four guardians, that threshold lands at exactly three.
Three compromised keys equals full bridge authority. No redundancy. No override. The math leaves no room for error, and the attacker exploits that gap with precision.
Blockchain security analysts identify the three signing addresses on the malicious VAAs as `0x214f15…ad29`, `0x78c7b8…7852`, and `0x9efb0c…89a1`. The only honest, unused guardian key, `0x4b2cbe…88fb`, sits on the sideline with no power to stop what is happening. One clean key out of four is not enough to prevent anything under this quorum structure.
This is not a flaw in the smart contract code. The contract performs correctly throughout the entire attack. What fails is the operational security around the guardian keys themselves, the human and infrastructure layer responsible for keeping those keys private and protected.
Alephium Responds and Shuts the Bridge Down
The Alephium team acknowledges the incident publicly, confirming awareness of a security incident affecting the bridge. The bridge is shut down immediately, and the team confirms that no new bridge transactions can currently be initiated, meaning the exploit pathway is closed, at least for now.
We are aware of a security incident affecting the Alephium bridge.
The bridge has been shut down, and no new bridge transactions can currently be initiated. As a result, the exploit can no longer be executed through the bridge.
Based on our investigation so far, the issue…
— Alephium (@alephium) May 30, 2026
The team’s early characterization of the root cause, however, diverges from the technical analysis put forward by on-chain security researchers. Alephium states that the issue appears to involve malicious event emission rather than a key compromise, while cautioning that the full scope is still being assessed and their understanding may evolve as more information becomes available. The team is actively investigating and promises further updates as soon as confirmed details are available.
That discrepancy between the initial team statement and the forensic evidence surfaced by independent researchers is worth watching. Key compromise and malicious event emission are not the same problem, and they do not carry the same implications for bridge security or recovery options.
What a Guardian Key Compromise Means in Practice
The distinction between a smart contract vulnerability and a key custody failure is not a technical footnote, it defines everything about the severity and the path to resolution.
Smart contract bugs can often be patched with an upgrade. Key compromises are a different category of problem entirely. Once private keys are in an attacker’s hands, every prior assumption about if those keys are protected becomes unreliable. The question of how three out of four guardian keys ended up compromised simultaneously, whether through infrastructure breach, insider access, phishing, or another vector, is the central question the investigation now needs to answer.
An undersized guardian set amplifies every operational mistake. Four guardians offer almost no tolerance for key compromise, and running that architecture on a live bridge holding user assets represents a significant risk management gap that the project will need to address before any rebuilt bridge goes live.
Token Holds But The Damage is Done
Despite the severity of the incident, ALPH continues to trade under relatively normal conditions. 
The token is down approximately 1.3% over the past 24 hours, a measured response from the market given the circumstances, though one that partly reflects the contained nature of the exploit. The attack targets the bridge specifically, not the underlying Alephium chain, which continues to operate without disruption.
The more lasting damage sits in the 13.76 million wrapped ALPH now circulating without collateral backing. Those tokens represent a liability that cannot simply be wished away. Any future bridge restart will need to account for that uncollateralized supply and the questions it raises about redemption, burn mechanisms, and user trust in wrapped assets on the Ethereum side.
What Comes Next for Alephium
The bridge is down and the attacker has not moved the funds. Whether that pause is strategic or simply the beginning of a longer laundering process remains to be seen. What the Alephium team needs to do now is straightforward, even if it is not easy: publish a full technical post-mortem, clarify the discrepancy between its early event-emission characterization and the key compromise evidence, and lay out a concrete plan for how the bridge gets rebuilt, with a guardian set large enough to actually provide security.
A four-guardian bridge with a three-of-four signing threshold is not a bridge design that belongs in production. Whatever comes next for Alephium’s cross-chain infrastructure needs to start from that acknowledgment.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
Be the first to comment