A blockchain token bridge known as Hyperbridge experienced a technical exploit, resulting in the artificial creation of 1 billion Polkadot (DOT) tokens valued at over $1.1 billion. However, only around $237,000 was cashed out due to liquidity constraints, according to a Monday report by the firm.
The protocol, which facilitates fund transfers between different blockchains like Ethereum and Polkadot, identified the exploit as stemming from a vulnerability in its proof verification logic. The perpetrator remains unidentified.
“This flaw allowed invalid proofs to be mistakenly accepted as valid,” Hyperbridge stated on X. “Consequently, a malicious message was processed that provided the attacker with administrative control over the bridged DOT token contract on Ethereum.”
Upon gaining access to this contract, the exploiter minted 1 billion bridged DOT tokens, which inflated the supply by approximately 2,800 times its actual size. For context, the total native, non-bridged DOT supply stands at just 1.6 billion tokens.
This exploit was confined exclusively to the bridged DOT on Ethereum, leaving native DOT on the Polkadot relay chain, parachains, and other Hyperbridge assets unaffected and secure.
The firm, alongside the Polkadot blockchain team, confirmed that the exploit affected only the bridged DOT on the Ethereum blockchain.
Following the minting process, the attacker sold these tokens directly on decentralized exchanges, securing around $237,000—the amount available in trading liquidity. Had there been sufficient liquidity, an entity with approximately 1 billion DOT tokens could have potentially gained over $1 billion, given that the token’s price was at $1.17, having dropped by 4.6% in the last 24 hours.
DOT has decreased more than 68% since its last year of trading and is nearly 98% below its November 2021 peak of $54.98. Currently, it trades just above its all-time low price of $1.15, recorded in February.
The protocol’s application is currently down for maintenance as it implements additional safeguards and collaborates with security partners to recover the stolen funds.
Bridge protocols have faced multiple exploits over time, including Ronin Network’s $552 million breach in 2022 linked by U.S. agencies to North Korea’s Lazarus hacking group. This latest exploit adds to ongoing concerns about DeFi protocol security, following Solana’s Drift Protocol losing more than $285 million on April 1 to a North Korean-linked hacker.