Crypto hacks are nothing new, but cases where attackers take big risks and walk away with peanuts are not common. The rare scenario unfolded on Sunday.
An attacker exploited a vulnerability in Hyperbridge’s cross-chain gateway that connects different blockchains, minted 1 billion Polkadot tokens ($1.19 billion) on Ethereum and dumped them for approximately $237,000 ether.
The exploit adds to a growing list of bridge vulnerabilities in 2026. Last month saw a $270 million Drift Protocol drain on Solana, while a social engineering attack rather than a code exploit involved compromised infrastructure.
Sunday’s exploit targeted the bridge contract, not Polkadot’s core network. Polkadot’s original token DOT was unaffected. The vulnerability was in how Hyperbridge’s EthereumHost contract validates incoming messages across chains before passing them to the TokenGateway.
Bridges, which help move coins from one blockchain to another, remain the weakest link in cross-chain architecture because they have administrator-level control over token contracts on destination chains, meaning a single validation error could allow an attacker to create unlimited supply.
Here’s how the attack unfolded
On-chain traces show that the attacker sent a forged message via dispatchIncoming, which was sent to TokenGateway.onAccept.
Checking request receipts, which should have verified the message against a valid cross-chain commit from Polkadot, stored a commit value of zero, indicating that proof validation was either absent or bypassed for this specific call path. The gateway treated the message as legitimate.
The accepted message performed changeAdmin on the bridged Polkadot token contract and transferred admin rights to the attacker’s address. With admin control, the attacker minted 1 billion tokens in a single transaction and routed them through Odos Router V3 into a Uniswap V4 DOT-ETH pool, extracting about 108.2 ETH across what appears to be multiple swaps at slightly different prices.
Liquidity worked against the striker
Weak liquidity/depth, or the ability of the market to absorb large orders at stable prices, is usually a big problem for whales. But in this case it worked against the attacker and limited its profit.
The bridged DOT pool on Ethereum held limited depth, meaning 1 billion tokens overwhelmed the available liquidity and the attacker received a fraction of a cent per token.
On a deeper pool or a higher value bridged asset, the same vulnerability would have resulted in significantly greater losses. DOT is trading just below $1.20 as of Asian morning hours on Monday.
CertiK flagged the exploit and confirmed that the attack vector was the Hyperbridge gateway contract and that the attacker made approximately $237,000 minting and selling the bridged tokens.
Hyperbridge has not publicly commented on the exploit or disclosed whether other bridged token contracts using the same gateway are vulnerable to the same forged message attack vector.
