Crypto hacks are not new, but cases where attackers take big risks and walk away with peanuts are not common. This rare scenario occurred on Sunday.
An attacker exploited a vulnerability in Hyperbridge’s cross-chain gateway that connects different blockchains, minting 1 billion Polkadot tokens ($1.19 billion) on Ethereum and swapping them for around $237,000 worth of ether.
The exploit adds to a growing list of bridge vulnerabilities in 2026. Last month, a $270 million Drift Protocol was drained on Solana, while a social engineering attack, rather than a code exploit, also involved compromised infrastructure.
Sunday’s exploit targeted the bridge contract, not Polkadot’s mainnet. Polkadot’s native DOT token was not affected. The vulnerability lies in the way Hyperbridge’s EthereumHost contract validates incoming cross-chain messages before transmitting them to TokenGateway.
Bridges, which help move coins from one blockchain to another, remain the weakest link in cross-chain architecture because they hold admin-level control over token contracts on destination chains, meaning a single validation failure can give an attacker the ability to create an unlimited supply.
This is how the attack unfolded
On-chain traces show that the attacker submitted a fake message via dispatchIncoming, which was routed to TokenGateway.onAccept.
Checking the request receipts, which should have verified the message against a valid Polkadot cross-chain state commit, stored an entirely zero commit value, suggesting that proof validation was either absent or bypassable for this specific call path. The gateway treated the message as legitimate.
The accepted message executed changeAdmin on the bridged Polkadot token contract, transferring admin rights to the attacker’s address. With administrator control, the attacker created 1 billion tokens in a single transaction and routed them through Odos Router V3 to a Uniswap V4 DOT-ETH pool, mining approximately 108.2 ETH on what appears to be multiple swaps at slightly different prices.
Liquidity worked against the attacker
Low liquidity/depth, or the market’s ability to absorb large orders at stable prices, is typically a major problem for whales. But in this case, it worked against the attacker, thus limiting his profits.
The DOT pool bridged on Ethereum had limited depth, meaning that a billion tokens exceeded available liquidity and the attacker only received a fraction of a cent per token.
On a deeper pool or higher value bridged asset, the same vulnerability would have resulted in much greater losses. DOT is trading just under $1.20 Monday morning in Asia.
CertiK reported the exploit, confirming that the attack vector was the Hyperbridge gateway contract and that the attacker profited approximately $237,000 by minting and selling the bridged tokens.
Hyperbridge has not publicly commented on the exploit or revealed whether other bridged token contracts using the same gateway are vulnerable to the same fake message attack vector.
