Headline: Hacker mints 1 billion bridged DOT via Ethereum bridge — theoretically worth $1.1B, but only $237K cashed out due to thin liquidity
A critical bridge exploit allowed a bad actor to mint roughly 1 billion bridged Polkadot (DOT) tokens on Ethereum — an amount that would be worth about $1.1 billion at current prices — but the attacker was only able to extract about $237,000 before running into liquidity limits, Hyperbridge said Monday.
What happened
- Hyperbridge, a cross-chain bridge that moves assets between networks (in this case Ethereum and Polkadot), says the attack stemmed from a flaw in its proof verification logic. The bug caused invalid proofs to be accepted as valid, letting a malicious message be processed that granted the attacker administrative control of the bridged DOT token contract on Ethereum.
- With that control, the attacker minted ~1,000,000,000 bridged DOT — roughly 2,800 times the existing bridged DOT supply on Ethereum. For context, the total native DOT supply on Polkadot is only about 1.6 billion tokens.
- The attacker then sold the minted tokens on decentralized exchanges, but could only realize about $237,000 because of limited trading liquidity for bridged DOT on Ethereum. Hyperbridge noted that if sufficient liquidity had existed, those 1 billion tokens could have netted more than $1 billion at current DOT prices (DOT is trading around $1.17, down ~4.6% in 24 hours).
Scope and impact
- Hyperbridge and the Polkadot team say the incident was isolated to the bridged DOT token on Ethereum. Native DOT on the Polkadot relay chain and parachains, and other assets routed through Hyperbridge, remain secure and were not affected.
- The attacker has not been publicly identified. Hyperbridge has taken its app offline for maintenance, deployed “additional safeguards,” and is working with security partners to try to recover funds.
Why it matters
- Bridges remain a recurring attack vector in crypto. Large-scale bridge hacks have previously resulted in major losses — notably the Ronin Network bridge exploit in 2022 that stole about $552 million and was linked by U.S. agencies to North Korea’s Lazarus group. More recently, Solana’s Drift Protocol lost over $285 million on April 1 in an attack also tied to a North Korea-linked actor.
- This incident underscores two persistent risks: smart-contract vulnerabilities in cross-chain bridges and the liquidity constraints that can limit or, conversely, amplify the impact of token-minting exploits.
Market context
- DOT has fallen sharply over the past year (down roughly 68%) and is trading near multi-year lows; it’s about 98% below its November 2021 all-time high of $54.98 and just above its all-time low of $1.15 set in February.
What’s next
- Hyperbridge is coordinating investigations and remediation steps. As with past bridge incidents, outcome options may include tracing and freezing proceeds on-chain, negotiations with centralized services that received funds, and protocol-level fixes — but recovery is never guaranteed.
We’ll update if Hyperbridge, Polkadot, or security firms disclose new details about the attacker, recovered funds, or mitigation measures.
Read more AI-generated news on: undefined/news
