Polkadot-Ethereum Hyperbridge exploit mints 1B fake DOT, but thin liquidity limits attacker haul to about $237K while exposing deep cross-chain verification flaws.

An attacker exploited the Hyperbridge cross-chain gateway linking Polkadot to Ethereum to gain administrative control over a DOT-linked token contract and mint roughly 1 billion fake DOT-equivalent tokens, ultimately extracting about $237,000 in ether. The breach, disclosed on April 13, hinged on a forged cross-chain message that bypassed state-proof verification and reassigned the contract admin, exposing a deep failure in how the bridge validated messages that should have been gated by multi-signature or on-chain checks.

According to blockchain security firm CertiK, “the attacker slipped through a forged message to change the admin of Polkadot token contract on Ethereum and profited ~$237K from minting and selling 1B tokens,” turning a single validation lapse into near‑infinite minting power. AMBCrypto reported that the attacker used Hyperbridge’s Interoperable State Machine Protocol to “bypass state-proof verification within the smart contract,” then dumped a small fraction of the 1 billion phantom tokens into available liquidity pools.

How the Hyperbridge exploit unfolded

Intellectia.AI noted that the attacker exploited “a vulnerability in the Hyperbridge gateway smart contract on Ethereum, creating 1 billion unauthorized DOT tokens through message forgery,” and then liquidated the position in a single transaction for around $237,000, or roughly 108.2 ETH at current prices. Crucially, the damage was limited by thin liquidity: the fake supply nuked the price of the bridged DOT representation rather than the underlying Polkadot network, which remained technically unaffected.

Polkadot’s native DOT, which trades near $1.20, saw a modest spillover as market participants digested yet another reminder that bridges, not base layers, are often the weakest links in multi-chain architecture. As one recap on TradingView put it, the episode “shook confidence in Polkadot’s cross-chain ecosystem” precisely because the exploited component branded itself as critical infrastructure rather than an experimental side project.

The Hyperbridge hack lands in a year already marked by repeated bridge failures, including a $3 million CrossCurve exploit and an Aethir bridge incident that still managed to keep user losses below $90,000 after rapid containment, as covered in a previous crypto.news story. Together, these incidents underscore that any cross-chain design that centralizes admin authority in a single contract or small committee remains an attractive target, with attackers repeatedly using forged messages to unlock or mint assets far beyond what their actual collateral should allow.