Key Takeaways
- A hacker efficiently minted 1 billion bridged Polkadot (DOT) tokens on Ethereum by manipulating a Merkle tree verifier.
- As a consequence of shallow liquidity, the attacker solely realized roughly $237,000 in good points, whereas native DOT stays unaffected.
- The Hyperbridge exploit follows an analogous incident at Aethir and a $130,000 vulnerability on the SubQuery Community.
Blockchain bridges stay the Achilles’ heel of the decentralized world, as evidenced by the latest $237,000 exploit of Hyperbridge. In a single, calculated transaction, an attacker managed to mint 1 billion bridged Polkadot (DOT) tokens on the Ethereum community. Whereas the “1 billion” determine sounds catastrophic, the precise revenue was capped by the liquidity accessible within the bridged pool.
The attacker made off with 108.2 Ether, however fortunately, the remainder of the Polkadot ecosystem dodged a bullet. It’s a actuality test for all of us—even when a protocol claims ‘full node safety,’ a intelligent cast message assault can nonetheless discover a approach via. No layer is really bulletproof when somebody is set sufficient.
Hyperbridge pauses operations after exploit
Within the rapid aftermath of the detection, Hyperbridge directors moved to halt all operations. The workforce’s preliminary analysis factors towards a malicious proof that successfully “tricked” the protocol’s Merkle tree verifier.
Particularly, safety researchers at Blocksec Falcon recognized a probable vulnerability within the Merkle Mountain Vary (MMR) proof-to-request binding. This allowed the attacker to successfully forge an administrative message, granting them the facility to vary the Polkadot token contract’s possession on Ethereum.
Whereas native DOT holders noticed a quick worth dip to $1.16, the market stabilized shortly because it grew to become clear the core Polkadot relay chain was by no means in danger.
Hackers exploit SubQuery community for $130,000
The Hyperbridge incident wasn’t the one safety flare-up over the weekend. The SubQuery Community additionally fell sufferer to an exploit totaling $130,000, highlighting a persistent difficulty with legacy code. A vulnerability in entry management information—written over two years in the past—allowed an attacker to redirect staking rewards to their very own contract.
Regardless of a major year-over-year lower in DeFi theft—dropping from over $1.5 billion in Q1 2025 to roughly $168 million in Q1 2026—the frequency of those “minor” exploits means that hackers have gotten extra surgical. As protocols proceed to battle for cross-chain dominance, the main focus is shifting from throughput to the basic integrity of Merkle proofs and admin entry controls.
Last Ideas
Whereas the monetary loss within the Hyperbridge case was comparatively small, the technical implications are vital. It proves that “proof-based” methods are solely as robust as their verifier’s capacity to differentiate between respectable and cast messages.
Often Requested Questions
Was native Polkadot (DOT) stolen?
No, the exploit solely affected bridged DOT on the Ethereum community; native DOT stays safe.
Why didn’t the hacker get extra money?
The restricted liquidity within the particular bridged DOT pool prevented the hacker from cashing out the total 1 billion tokens.
Is Hyperbridge nonetheless energetic?
Operations are presently paused whereas the workforce implements a compulsory safety improve to repair the proof vulnerability.