Hackers stole $237,000 in the Bridged-Polkadot exploit after minting 1 billion DOT and converting them to 108 ETH

Hackers exploited a vulnerability in the Hyperbridge cross-chain bridge’s Ethereum gateway contract earlier today, minting 1 billion unauthorised wrapped Polkadot (DOT) tokens and swapping them for about 108.2 ETH, worth at least $237,000 in a single transaction.
The attack, which occurred around 3:55 a.m. UTC, targeted only bridged DOT assets on Ethereum and left Polkadot’s native blockchain, parachains, staking, and governance untouched. Hyperbridge, a Polkadot-based interoperability protocol that connects assets across chains using its Interoperability State Machine Protocol (ISMP), confirmed the breach in a post on X shortly after it was detected. “An exploit affected one of our Ethereum contracts,” the team stated. “We’ve paused all bridging and advised partners to halt related transactions while the team contains the issue.”

Polkadot’s official account echoed the reassurance hours later. “We’re aware of an issue affecting @hyperbridge’s Ethereum gateway contract,” it posted.

“The exploit only affects DOT on Ethereum that is bridged through Hyperbridge and does not affect DOT in the Polkadot ecosystem or DOT bridged through other bridges. Polkadot, its parachains, and native DOT remain secure and unaffected.”

The Mechanics of the Bridged-Polkadot exploit

​Verified by on-chain analysts and security firms, including CertiK, the exploit was executed in block 24,868,295 via transaction hash 0x240a…1109. The attacker’s wallet (0xC513…F8E7), a 33-day-old address, deployed a malicious subcontract and submitted forged Polkadot consensus proofs via the HandlerV1 contract.

Security researchers traced the root cause to a trio of critical flaws. First, the bridge’s challenge period was set to zero, removing any dispute window and allowing the forged state commitment to be accepted instantly. Second, there was insufficient validation in the HandlerV1 contract’s proof verification function. Finally, the consensus client contract (0xA0Ad…669a) lacked public source code verification. Preparing for months, the attacker successfully funded the wallet through privacy tools, including Railgun zk-shielded pools and Synapse Bridge, conducting test deployments on a live state before the attack.

Once in control, the attacker changed the admin of the bridged DOT token contract (0x8d01…90b8) and minted the full 1 billion tokens. The fake supply was then routed through decentralised exchange routers, including Uniswap V4, draining the available liquidity pools. The swap yielded 108.2 ETH before MEV bots replicated parts of the exploit on other Hyperbridge-wrapped assets such as ARGN, MANTA, and CERE. Total realised losses across the incident are estimated at $250,000 when including secondary extractions, though the primary haul remained limited by thin liquidity.

Also read: Trump-linked World Liberty Financial (WLFI) to sue Justin Sun in a $75m DeFi dispute
The incident triggered immediate market reactions. Bridged DOT prices in affected pools collapsed from roughly $1.22 to near zero. South Korean exchanges Upbit and Bithumb paused DOT deposits and withdrawals as a precaution. Leveraged positions saw more than $728,000 in liquidations, and broader DeFi liquidity tied to Hyperbridge-wrapped assets experienced temporary disruptions, wiping around $20 million in notional value from pools.
Hyperbridge powers multiple ERC-6160 tokens from Polkadot parachains, making the gateway a shared point of failure for several bridged assets. The EthereumHost contract was later fully frozen to prevent further damage. As of the time of filing this report, the attacker’s funds were observed moving through additional Railgun withdrawals in 15 ETH increments toward fresh exit wallets, with no large bridge-outs detected yet.

This marks the latest in a string of bridge-related exploits that have plagued decentralised finance, where billions have been lost historically due to proof validation gaps and configuration errors. Hyperbridge had positioned itself as a secure, cryptographically verified alternative leveraging Polkadot’s GRANDPA and BEEFY consensus mechanisms. The attack highlights how even advanced designs can fail when key parameters like challenge periods are minimised or when upstream verification contracts lack public source code audits.
No full forensic report from Hyperbridge or Polkadot has been released as investigations continue. Blockchain security firms CertiK and independent analysts continue monitoring the attacker’s movements. The incident serves as a reminder of the persistent risks in cross-chain infrastructure, even for protocols built on established networks like Polkadot.