Share
An attacker exploited a vulnerability in the Hyperbridge gateway on April 13, 2026 to mint 1 billion bridged Polkadot (DOT) tokens on Ethereum and sell them in a single sequence, extracting about 108.2 ETH, or roughly $237,000.
The scale of the mint points to a serious validation failure. The realized profit tells a different story.
Blockchain security firm CertiK identified the issue in Hyperbridge’s gateway contract, where a forged cross-chain message bypassed verification and altered the admin of the DOT token contract on Ethereum.
Once control shifted, the attacker gained unrestricted minting rights.
The exploit stemmed from a failure in cross-chain message validation. A crafted proof passed verification checks and allowed the attacker to execute privileged actions.
The system accepted a malicious state commitment and processed it immediately, leaving no window for dispute. The result was a full administrative takeover executed within a single transaction.
We have seen an exploit on the @hyperbridge gateway contract. https://t.co/h27iDm1JGd
The attacker slipped through a forged message to change the admin of Polkadot token contract on Ethereum and profited ~$237K from minting and selling 1B tokens.
Stay… pic.twitter.com/3t2n4uq5hy
— CertiK Alert (@CertiKAlert) April 13, 2026
On-chain data shows the attacker minted and dumped the entire 1 billion DOT supply in one coordinated move. The sale returned 108.2 ETH, confirmed by Lookonchain tracking.
Polkadot(@Polkadot) has been exploited. 🚨
The attacker minted 1B $DOT and dumped it all in a single transaction for 108.2 $ETH($237K).https://t.co/4pStYrGb8y pic.twitter.com/wRplAWNnBg
— Lookonchain (@lookonchain) April 13, 2026
The outcome highlights a key limitation, liquidity for the affected asset was thin.
While the minted supply carried a theoretical value in the billions, available liquidity on decentralized exchanges capped what could be extracted. The bridged DOT price collapsed from around $1.22 to near zero during the dump, limiting further gains.
This gap between notional value and realized profit is central to the attack’s outcome. It shows that execution constraints still matter, even in large-scale exploits.
DOT briefly dropped about 7% following the incident, falling from roughly $1.24 to near $1.15 before stabilizing around $1.20.
The impact remained contained for a clear reason. The exploit targeted only the Ethereum-bridged version of DOT. The native Polkadot relay chain wasn’t compromised.
Centralized exchanges responded quickly. South Korean platforms Upbit and Bithumb suspended DOT deposits and withdrawals to limit potential exposure.
This action separates bridge-level risk from a protocol-level failure.
Cross-chain infrastructure continues to attract attackers. Chainalysis data shows bridge-related failures account for more than 60% of crypto hack losses, with cumulative damage exceeding $2 billion in recent years.
This incident follows that pattern.
The failure didn’t come from breaking core cryptography. It came from how systems verify and trust cross-chain messages. When that layer fails, attackers can escalate privileges directly.
At the same time, the limited financial damage shows an important counterpoint. Structural weaknesses don’t always translate into large losses if liquidity conditions restrict execution.
The combination of deep technical failure and constrained profit highlights a structural issue. Cross-chain systems expand functionality, but they also widen the attack surface in ways that are still not fully controlled.
Share
preferred on
