A hacker exploited a vulnerability in the Hyperbridge protocol to mint 1 billion bridged Polkadot (DOT) tokens on the Ethereum blockchain, according to a statement from the firm on Monday.
The exploit targeted the protocol's proof verification logic, allowing an unidentified attacker to gain administrative control over the bridged DOT token contract. This flaw enabled the artificial creation of tokens worth an estimated $1.1 billion.
“This flaw allowed invalid proofs to be incorrectly accepted as valid,” Hyperbridge posted on X. “As a result, a malicious message was processed that granted the attacker administrative control of the bridged DOT token contract on Ethereum.”
Despite the massive minting event, the attacker could only extract approximately $237,000 from the exploit. The discrepancy between the $1.1 billion paper value and the actual loss stems from the lack of sufficient trading liquidity on decentralized exchanges.
Impact on Polkadot network
The incident is strictly limited to bridged DOT on the Ethereum network. Hyperbridge confirmed that native DOT on the Polkadot relay chain, parachains, and other assets managed by the bridge remain secure and unaffected.
The attacker's minting of 1 billion tokens exceeded the existing supply of bridged DOT by roughly 2,800 times. For context, the total native, non-bridged DOT supply is approximately 1.6 billion tokens.
Hyperbridge has taken its application offline for maintenance. The team is currently implementing additional safeguards and working with security partners to attempt the recovery of the stolen funds.
This breach follows a string of high-profile bridge exploits in the DeFi space. In 2022, the Ronin Network suffered a $552 million loss linked to North Korean hackers, while Solana’s Drift Protocol lost over $285 million in early April.
