A hacker exploited Hyperbridge, a cross-chain interoperability protocol connecting Polkadot and Ethereum. The attacker minted 1 billion bridged DOT tokens on Ethereum in a single transaction but walked away with just 108.2 ETH - around $237,000 - due to limited liquidity in the bridged DOT pool. Native DOT tokens and the broader Polkadot network were not affected.
How the attacker took control of the contract
According to cybersecurity platform CertiK, the attacker slipped a forged message through the protocol that changed the admin address of the DOT token contract on Ethereum. With admin rights, the hacker minted 1 billion tokens with no real backing.
Limited liquidity acted as a natural ceiling. Instead of billions in notional value, the attacker could only swap out 108.2 ETH - everything available in the pool. The rest of the minted tokens had no exit to liquid assets. Hyperbridge had marketed itself as a proof-based interoperability layer with full-node security for cross-chain bridges. The exploit puts those claims under scrutiny.
Incident details
Root cause: MMR proof replay vulnerability
Security firm Blocksec Falcon pointed to a Merkle Mountain Range (MMR) proof replay vulnerability caused by missing proof-to-request binding. The protocol did not verify that a cryptographic proof was tied to a specific request - so the attacker reused a valid old proof in a new context to authorize the minting.
Hyperbridge contributor Web3 Philosopher confirmed that initial analysis points to a malicious proof that tricked the protocol's Merkle tree verifier. The team has not yet confirmed the final root cause. MMR vulnerabilities in bridges are a known problem across the industry. When a proof can be replayed across different requests, it opens the door to exactly this kind of exploit.
Response and broader picture
Hyperbridge paused operations immediately after detecting the attack while working on an upgrade. Polkadot confirmed on X that native DOT tokens and the main network are safe. The DOT token briefly dipped to a daily low of $1.16 before recovering above $1.19.
This was not the only incident over the weekend. On Sunday, the SubQuery Network lost $130,000 due to missing access control in code written two years ago. For all of Q1 2026, DeFi hackers stole $168 million from 34 protocols - a steep drop from $1.58 billion in Q1 2025, when the $1.4 billion Bybit hack skewed the numbers. Cross-chain bridge attacks keep coming. This case shows that even proof-based architecture has gaps when the proof binding logic is incomplete.
Comments
Your email address will not be published. Required fields are marked *