An attacker compromised the Hyperbridge gateway contract on April 13, 2026, creating 1 billion unauthorized Polkadot (DOT) tokens on the Ethereum network. After minting the supply, the perpetrator dumped the tokens in a single transaction, netting approximately 108.2 ETH, or roughly $237,000.
Blockchain security firm CertiK identified the root cause of the breach. According to their analysis, the attacker utilized a forged message to manipulate the admin role of the token contract, granting them unauthorized minting privileges.
Scope of the incident
Polkadot officials confirmed the breach via a public statement, clarifying that the damage is isolated. The team specified that the exploit affects only DOT tokens bridged through the Hyperbridge gateway contract on Ethereum.
"Polkadot, its parachains, and native DOT remain secure and unaffected," the project stated on X. "Hyperbridge has been paused while the issue is investigated."
On-chain data provided by Lookonchain confirmed the timeline of the attack and the subsequent liquidation of the minted assets. The event serves as the latest in a series of security incidents targeting cross-chain bridge infrastructure.
Developers have halted the affected bridge to prevent further unauthorized activity. Users holding DOT tokens on Ethereum are advised to monitor official channels for updates regarding the restoration of bridge services.
