Cryptocurrency hacks are nothing new, but cases where attackers take big risks and walk away with peanuts are not common. That strange scenario unfolded on Sunday.
An attacker exploited a vulnerability in the Hyperbridge cross-chain gateway that connects different blockchains, minting 1 billion Polkadot tokens ($1.19 billion) on Ethereum and selling them for approximately $237,000 in ether.
The exploit adds to a growing list of bridge vulnerabilities in 2026. Last month saw a $270 million Drift protocol drain on Solana, while a social engineering attack, rather than a code exploit, similarly involved compromised infrastructure.
Sunday’s exploit targeted the bridge contract, not Polkadot’s core network. Polkadot’s native token, DOT, was not affected. The vulnerability was in the way Hyperbridge’s EthereumHost contract validates incoming cross-chain messages before passing them to the TokenGateway.
Bridges, which help move coins from one blockchain to another, remain the weakest link in cross-chain architecture because they have admin-level control over token contracts on the target chains, meaning a single validation failure can grant an attacker the ability to generate an unlimited supply.
This is how the attack developed
Chain traces show that the attacker sent a forged message via dispatchIncoming, which was routed to TokenGateway.onAccept.
The request receipt check, which should have verified the message with a valid Polkadot cross-chain state commit, stored a commit value of all zeros, suggesting that test validation was absent or avoidable for this specific call path. The gateway processed the message as legitimate.
The accepted message ran changeAdmin on the bridged Polkadot token contract, transferring administrator rights to the attacker’s address. With administrative control, the attacker minted 1 billion tokens in a single transaction and routes them through the Odos Router V3 to a Uniswap V4 DOT-ETH pool, mining approximately 108.2 ETH through what appears to be multiple swaps at slightly different prices.
Liquidity played against the attacker
Weak liquidity/depth, or the market’s ability to absorb large orders at stable prices, is often a major problem for whales. But in this case, it worked against the attacker, limiting his gains.
The bridged DOT pool on Ethereum was limited in depth, meaning that one billion tokens overwhelmed the available liquidity and the attacker received a fraction of a cent per token.
In a deeper pool or higher-value bridge asset, the same vulnerability would have resulted in significantly larger losses. DOT is trading just under $1.20 in Asian morning hours on Monday.
CertiK flagged the exploit, confirming that the attack vector was the Hyperbridge gateway contract and that the attacker made approximately $237,000 from minting and selling the bridged tokens.
Hyperbridge has not publicly commented on the exploit or revealed whether other bridged token contracts using the same gateway are vulnerable to the same forged message attack vector.
