Attacker mints $1 billion Polkadot tokens on Ethereum, ends up stealing just $250,000
A forged cross-chain message bypassed state proof validation on the bridge contract, granting admin control over the bridged DOT token and allowing the attacker to mint and dump the entire supply for $237,000.
What to know:
- An attacker exploited a vulnerability in Hyperbridge’s Ethereum gateway contract to mint 1 billion bridged Polkadot tokens and dump them for about $237,000 in ether.
- The exploit, which did not affect Polkadot’s core network or native DOT, abused a flawed cross-chain message validation path to seize admin control of the bridged token contract.
- The attacker’s profit was limited by shallow liquidity in the Ethereum DOT pool, but security firms warn that similar bridge flaws on deeper pools or higher-value assets could lead to far larger losses.
The exploit adds to a growing list of bridge vulnerabilities in 2026. Last month saw a $270 million Drift Protocol drain on Solana, while a social engineering attack, rather than a code exploit, similarly involved compromised infrastructure.
The Sunday exploit targeted the bridge contract, not Polkadot’s core network. Polkadot’s native token DOT was unaffected. The vulnerability sat in how Hyperbridge’s EthereumHost contract validates incoming cross-chain messages before passing them to the TokenGateway.
Bridges, which help move coins from one blockchain to another, remain the weakest link in cross-chain architecture because they hold admin-level control over token contracts on destination chains, meaning a single validation failure can grant an attacker the ability to mint unlimited supply.
