Adshares appears to have suffered a bridge exploit worth about $628,000 after an attacker allegedly used invalid native-chain transaction IDs to mint wrapped ADS on Ethereum and sell the tokens into available liquidity.
Security researcher Chris Dior flagged the incident, saying the bridge-minter externally owned account signed three wrapTo() calls tied to non-existent native-chain txids. Those signatures allegedly allowed the attacker to mint fake wADS, then dump the tokens for roughly 148.5 ETH and about $305,000 in USDC on Ethereum.
The claim had not yet been followed by a full public Adshares postmortem at publication time. That means the loss figure, attack path and transaction interpretation should be treated as monitor-flagged until the project confirms the final root cause, affected contracts, recovery status and any compensation plan.
The incident targets the reserve logic behind wrapped assets rather than the basic idea of the Adshares network. Adshares’ own blockchain materials say ADS exists on multiple blockchains as wrapped tokens, with native coins removed from circulation and held in reserve so that reserve balances remain greater than or equal to wrapped supply. A fake mint breaks that economic assumption because the wrapped token enters Ethereum circulation without a matching native-chain lock or burn.
Bridge Validation Becomes The Failure Point
The alleged exploit path is a classic bridge-verification failure. The system appears to have accepted signed mint instructions without properly validating that the referenced native-chain transactions existed and backed the requested wADS issuance. Once the fake supply reached Ethereum, the attacker could sell into real liquidity and leave traders or pools holding unbacked tokens.
Bridge attacks have repeatedly shown that the critical weakness is often not the destination token contract alone, but the message and proof layer deciding whether a cross-chain event is legitimate. Recent bridge incidents have already pushed large protocols to rethink routing and security assumptions, including Lombard’s move to shift more than $1 billion of Bitcoin-backed assets toward Chainlink CCIP after the KelpDAO exploit. Similar concerns surfaced when Syndicate investigated a Commons bridge compromise tied to cross-chain transfer infrastructure.
For Adshares, the immediate security questions are narrow and concrete: whether the bridge-minter key was compromised or misused, whether signature checks failed at the application layer, which three mint calls created the fake wADS, whether liquidity providers can be made whole, and whether the bridge has been paused or restricted.
The current verified status is limited. A public monitor has attributed about $628,000 in losses to fake bridge mint validation, the attacker reportedly exited into ETH and USDC on Ethereum, and an official postmortem is still needed to confirm the exploit path, final loss amount, contract status and user impact.
Be the first to comment