Polkadot Hyperbridge exploit: Attacker mints 1B+ fake DOT tokens, nets ~$237K

Fake DOT tsunami hits Ethereum

A vulnerability in Hyperbridge, a decentralized protocol connecting Polkadot and Ethereum, enabled an attacker to mint over one billion counterfeit DOT tokens on Ethereum. The breach, which occurred on Monday, resulted in the creation of unbacked tokens with a notional value of approximately $1.2 billion. However, the attacker was only able to convert these fake assets into about $237,000 worth of Ether due to limited liquidity in the affected pools.

The incident did not impact native Polkadot (DOT) tokens or the broader Polkadot ecosystem. Instead, only the Ethereum-based DOT tokens that had been bridged via Hyperbridge were compromised. This distinction was emphasized by Polkadot’s team, who clarified that the core protocol and its consensus mechanisms remained secure during the exploit.

Polkadot’s official X account posted on April 29 that only Hyperbridge-minted DOT on Ethereum was affected.

Bridge flaw lets hacker print billions

The attack exploited a flaw in Hyperbridge’s message verification process—specifically a Merkle Mountain Range (MMR) proof replay vulnerability—allowing the hacker to forge messages and assume admin control over the DOT token contract on Ethereum.

According to cointelegraph.com, blockchain security firm CertiK reported that the attacker manipulated admin privileges by forging a message, enabling unauthorized minting of tokens. BlockSec Phalcon and on-chain analyst Specter also identified missing input validation in Hyperbridge’s `VerifyProof()` function as a key failure point. Without proper binding between requests and proofs, attackers could submit arbitrary payloads for validation—a critical oversight for any cross-chain bridge.

An initial related attack took place roughly an hour before the main exploit. In this earlier incident, an attacker targeted a TokenGateway contract associated with Hyperbridge and siphoned 245 ETH—valued at approximately $537,000 at the time—by manipulating withdrawal targets for staking rewards.

$237K profit, but billions minted

On paper, the attacker’s one billion counterfeit DOT tokens represented more than $1.2 billion at prevailing market rates. But with only about $237,000 in actual proceeds realized from selling these tokens for Ether on Uniswap, the scheme’s profitability was sharply capped by liquidity constraints within bridged DOT pools.

The gap between theoretical and real-world gains highlights how thinly traded or poorly collateralized bridges can limit even large-scale exploits.

Following news of the exploit on Monday, DOT briefly plunged to a daily low of $1.16 before rebounding above $1.19 later in the day. Two major Korean exchanges—Upbit and Bithumb—temporarily halted deposits and withdrawals for DOT amid concerns about contaminated liquidity entering their platforms.

Parity Technologies was quick to distance Polkadot’s underlying protocol from the incident, stating that no vulnerabilities were found in its consensus or audited core code. The exploit stemmed entirely from Hyperbridge’s implementation flaws rather than any weakness in Polkadot itself.

Merkle proof replay at fault?

Blocksec Falcon attributed the root cause to a Merkle Mountain Range proof replay vulnerability—a technical issue where missing binding between proof and request allowed attackers to reuse proofs for malicious actions.

Cybersecurity analysts highlighted that Hyperbridge failed to properly validate input data within its verification logic. Specifically, missing checks in its `VerifyProof()` function meant that submitted payloads were not securely tied to their corresponding proofs. This oversight enabled attackers to forge withdrawal requests and bypass normal controls designed to prevent unauthorized token minting.

While Blocksec Falcon’s analysis points strongly toward this replay flaw as the culprit, final confirmation of all contributing factors remains pending as teams continue their investigation into transaction logs and contract code.

Why it matters: Bridges under scrutiny

Hyperbridge has paused all operations while developers work on an urgent upgrade to address these security lapses. Seun Lanlege of Polytope Labs—the Lagos-based firm behind Hyperbridge—confirmed that patching efforts are underway but did not provide a timeline for resumption of service.

This is not an isolated event: just one day prior to the Hyperbridge hack, SubQuery Network suffered a separate exploit worth around $130,000 after missing access controls allowed an attacker to redirect staking rewards. Both incidents underscore persistent risks facing decentralized bridges that handle cross-chain asset transfers worth millions—or even billions—of dollars daily.

For users and exchanges alike, such breaches mean heightened caution around accepting bridged tokens or interacting with smart contracts lacking rigorous audits. As shown by Upbit and Bithumb’s swift suspension of DOT transactions following this week’s events, centralized venues are increasingly proactive about isolating potential threats before they spread further into broader markets.

The contrast between massive on-chain token creation and modest financial gain is stark: while attackers may mint assets worth billions in seconds due to faulty bridge logic, their ability to realize profits is often constrained by market depth and exchange safeguards.

Areas to watch closely

If Upbit and Bithumb resume DOT deposits and withdrawals following their temporary suspension due to the Hyperbridge exploit, immediate on-chain flows and price reactions for bridged DOT on Ethereum could occur; however, the timeline for resumption remains unclear as Hyperbridge operations are still paused pending a confirmed root cause and upgrade.