Attacker mints $1 billion Polkadot tokens on Ethereum, steals just $250,000

Crypto hacks are nothing new, but cases where attackers take big risks and walk away with peanuts aren’t common. That rare scenario played out on Sunday.

An attacker exploited a vulnerability in Hyperbridge’s cross-chain gateway that connects different blockchains, minting 1 billion Polkadot tokens ($1.19 billion) on Ethereum and dumping them for approximately $237,000 worth of ether.

The exploit adds to a growing list of bridge vulnerabilities in 2026. Last month saw a $270 million Drift Protocol drain on Solana, while a social engineering attack, rather than a code exploit, similarly involved compromised infrastructure.

The Sunday exploit targeted the bridge contract, not Polkadot’s core network. Polkadot’s native token DOT was unaffected. The vulnerability sat in how Hyperbridge’s EthereumHost contract validates incoming cross-chain messages before passing them to the TokenGateway.

Bridges, which help move coins from one blockchain to another, remain the weakest link in cross-chain architecture because they hold admin-level control over token contracts on destination chains, meaning a single validation failure can grant an attacker the ability to mint unlimited supply.

Here’s how attack unfolded

On-chain traces show that the attacker submitted a forged message via dispatchIncoming, which was routed to TokenGateway.onAccept.

The request receipts check, which should have verified the message against a valid cross-chain state commitment from Polkadot, stored an all-zeros commitment value, suggesting the proof validation was either absent or circumventable for this specific call path. The gateway processed the message as legitimate.

The accepted message executed changeAdmin on the bridged Polkadot token contract, transferring admin rights to the attacker’s address. With admin control, the attacker minted 1 billion tokens in a single transaction and routed them through Odos Router V3 into a Uniswap V4 DOT-ETH pool, extracting roughly 108.2 ETH across what appears to be multiple swaps at slightly different prices.

Liquidity worked against the attacker

Weak liquidity/depth, or the market’s ability to absorb large orders at stable prices, is usually a major issue for whales. But, in this case, it worked against the attacker, capping its profit.

The bridged DOT pool on Ethereum held limited depth, meaning 1 billion tokens overwhelmed the available liquidity and the attacker received a fraction of a cent per token.

On a deeper pool or a higher-value bridged asset, the same vulnerability would have produced significantly larger losses. DOT trades just under $1.20 as of Asian morning hours on Monday.

CertiK flagged the exploit, confirming the attack vector was the Hyperbridge gateway contract and that the attacker profited approximately $237,000 from minting and selling the bridged tokens.

Hyperbridge has not publicly commented on the exploit or disclosed whether other bridged token contracts using the same gateway are vulnerable to the same forged-message attack vector.