A significant security lapse in Hyperbridge, the decentralized bridge linking Polkadot to Ethereum, resulted in an attacker minting 1 billion unauthorized DOT tokens. However, the hacker’s potential multimillion-dollar gain was limited to around $240,000 due to insufficient market liquidity for these fake assets.
The breach, while containing direct financial losses, has caused considerable concern within the Polkadot ecosystem and led to a drop in DOT’s value amid wider apprehensions about cross-chain security. Despite this incident, Polkadot’s ecosystem remains robust with $210 million in its treasury, as highlighted by Oluwapelumi Adejumo on Dec 31, 2024.
Experts from BlockSec Phalcon identified the exploit stemming from a “Merkle Mountain Range (MMR) proof replay vulnerability” within Hyperbridge’s validation process for cross-chain messages. This flaw allowed the attacker to forge valid security proofs and mint tokens by exploiting insufficient input verification in the `VerifyProof()` function.
Prior to this major attack, around 245 ETH was stolen from a related TokenGateway contract, as noted by on-chain analyst Specter. These funds were quickly dispersed through Tornado Cash. The incident’s financial impact was mitigated due to shallow market depth; when attempting to exchange the fake DOT for Ethereum, the liquidity pool’s limited capacity drastically reduced the token’s value.
Ironically, this breach occurred shortly after Hyperbridge’s April Fools’ Day post about a fictional $37 million exploit. This prank has now become reality, forcing Polkadot developers and Parity Technologies to address the real-world consequences of their isolated Ethereum gateway contract vulnerability.
Despite no compromise in Polkadot’s core network or parachains, DOT’s price fell by 5% following the breach news, nearing its all-time low. Cross-chain bridges like Hyperbridge have repeatedly been targeted due to their complex infrastructure and significant asset reserves, highlighting an ongoing challenge for Web3 security.