A forged cross-chain message let an attacker seize admin control of Hyperbridge’s bridged DOT token contract on Ethereum, mint 1 billion tokens, and dump them into on-chain liquidity. Despite the nominal mint value being framed at about $1.19 billion, the realized cash-out was roughly 108.2 ETH, or about $237,000.
Key Takeaways
- A message-validation flaw in Hyperbridge’s gateway/host path enabled an admin takeover of the bridged token contract on Ethereum.
- After gaining admin rights, the attacker minted 1 billion bridged DOT (valued in the incident narrative at about $1.19 billion) and swapped it out for roughly 108.2 ETH (~$237,000).
- The incident did not touch Polkadot’s core network or native DOT supply, with damage confined to the Ethereum-side bridge representation.
- Thin liquidity in Ethereum bridged DOT pools limited extractable value, and Hyperbridge had not disclosed whether other bridged assets share the same vulnerable gateway path.
Forged Message Hands Over Bridged DOT Admin on Ethereum
The exploit centered on Hyperbridge’s Ethereum-side message handling, where a forged cross-chain message was accepted and forwarded through the gateway/host validation path. That acceptance was enough to hand the attacker admin control over the bridged DOT token contract on Ethereum, a permission tier that effectively decides who can change critical settings and, in this case, mint.
On-chain traces described in the incident flow show the attacker submitting a forged message via `dispatchIncoming`, which was routed to `TokenGateway.onAccept`. The check that should have validated the message against a cross-chain state commitment from Polkadot stored an all-zeros commitment value, leaving open whether proof validation was missing entirely or bypassable on that specific call path.
The practical point for traders is scope. This was an admin-control failure on the Ethereum-side bridged token contract, not a Polkadot protocol failure. Any dislocation should concentrate where that bridged representation trades and where its liquidity sits.
Minted 1B Tokens, Cashed Out ~108.2 ETH: How the Payout Stayed Small
After the admin change, the attacker minted 1 billion bridged DOT in a single transaction, then routed the tokens through Odos Router V3 into a V4 DOT-ETH pool. The extraction totaled roughly 108.2 ETH across what appeared to be multiple swaps at slightly different prices.
The headline number was the mint size, but the market structure dictated the outcome. The bridged DOT pool on Ethereum had limited depth, so selling into it overwhelmed available liquidity and cleared at a fraction of a cent per token. That is why a mint framed at about $1.19 billion translated into about $237,000 in realized proceeds.
btc$70,816-1.17%
eth$2,186.81-1.33%
usdt$1-0.02%
bnb$597.68+0.57%
xrp$1.33-0.42%
usdc$1-0.04%
sol$81.91-0.38%
trx$0.32-0.02%
doge$0.09-0.34%
ada$0.24-0.70%
bch$426.31+0.04%
link$8.73-0.79%
xlm$0.15-0.18%
ltc$52.89-1.70%
avax$9.08+0.50%
hbar$0.09-1.35%
sui$0.9-1.09%
dot$1.17-4.65%
uni$3.02-1.02%
etc$8.2-0.15%
algo$0.1-3.40%
atom$1.72-1.07%
fil$0.86+0.08%
vet$0.01-1.12%
