Hyperbridge bug mints 1B bridged DOT, attacker nets $237K
A proof-verification flaw in Hyperbridge allowed minting of about 1 billion bridged DOT on Ethereum (~$1.1B); limited liquidity let the attacker convert roughly $237,000.
On April 13, 2026, Hyperbridge disclosed a vulnerability in its proof-verification logic that allowed an attacker to mint roughly 1 billion bridged Polkadot (DOT) tokens on Ethereum. Invalid proofs were accepted as valid, and a malicious message executed that granted administrative control of the bridged DOT token contract on Ethereum.
With control of the contract, the attacker created about 1 billion bridged DOT tokens. That issuance was roughly 2,800 times larger than the existing bridged DOT supply on Ethereum and exceeded the native DOT total supply on the Polkadot network, which is about 1.6 billion tokens.
The attacker sold tokens on decentralized exchanges where liquidity existed and converted approximately $237,000 into value. Hyperbridge explained that limited market depth prevented the attacker from converting the full supply; at recent trading around $1.17 per DOT, converting the entire 1 billion tokens could have produced more than $1 billion.
Market data showed DOT’s price fell about 4.6% in the 24 hours surrounding the exploit. The token has declined over the past year, trading well below its November 2021 peak and near its all-time low set in February.
Hyperbridge and the Polkadot team indicated the issue was confined to bridged DOT on Ethereum. Native DOT on the Polkadot relay chain, parachains and other assets transferred by Hyperbridge were not affected, they said.
Hyperbridge took its application offline to perform maintenance and deploy additional safeguards. The protocol is working with security partners on recovery and investigation efforts; the attacker’s identity has not been made public.
On X, Hyperbridge posted: “This flaw allowed invalid proofs to be incorrectly accepted as valid.” The protocol added: “As a result, a malicious message was processed that granted the attacker administrative control of the bridged DOT token contract on Ethereum.”
Hyperbridge has not posted a full technical postmortem. Investigators will need to determine how invalid proofs were accepted and whether additional verification checks or controls can prevent similar manipulation of bridged token contracts.
Bridge protocols that move tokens between blockchains have been targets of high-value exploits in recent years, including a 2022 attack on Ronin Network that resulted in roughly $552 million stolen. Hyperbridge said it is evaluating options to recover funds and to prevent the same technique from affecting other assets.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
