Crypto Hacker Mints $1.1 Billion in Polkadot via Ethereum Bridge, But Can Only Cash Out $237K

A technical exploit of blockchain token bridge Hyperbridge led to the artificial creation of 1 billion Polkadot (DOT) tokens valued above $1.1 billion—but it only saw around $237,000 in losses due to limited liquidity, the firm reported on Monday. 

The protocol, which allows users to transfer funds to and from distinct blockchains—like Ethereum to Polkdaot—said the exploit was as a result of a vulnerability in its proof verification logic. The malicious actor has not yet been identified. 

“This flaw allowed invalid proofs to be incorrectly accepted as valid,” Hyperbridge posted on X. “As a result, a malicious message was processed that granted the attacker administrative control of the bridged DOT token contract on Ethereum.” 

Once the exploiter gained access to the bridged DOT token contract, they proceeded to mint 1 billion bridged DOT tokens—which exceeded the actual bridged DOT token supply by around 2,800 times. For reference, the total native, non-bridged DOT supply is only 1.6 billion tokens.

The firm and the team behind the Polkadot blockchain confirmed the exploit was confined to only bridged DOT on the Ethereum blockchain.

After minting the tokens, the attacker then sold them directly on decentralized exchanges, making away with around $237,000—the amount that was available in trading liquidity.

Should there have been sufficient liquidity, someone with around 1 billion DOT tokens could stand to gain more than $1 billion as the token trades around $1.17, down 4.6% in the last 24 hours.

At that mark, DOT has now fallen more than 68% in the last year of trading and is nearly 98% off its November 2021 all-time high of $54.98. DOT is currently just above its all-time low price of $1.15, set in February.

The protocol’s app is down for maintenance as it adds “additional safeguards” and works with security partners in an attempt to recover swiped funds. 

Bridge protocols have been at the center of multiple exploits over the years, highlighted by Ronin Network’s $552 million exploit in 2022 when hackers attacked its native bridge to Ethereum. The exploit remains one of the largest crypto hacks of all-time, and was linked by U.S. government agencies to North Korea’s infamous state-sponsored Lazarus hacking group.

The latest exploit adds to a mounting list of concerns surrounding the security of DeFi protocols, following the recent exploit of Solana’s Drift Protocol, which lost more than $285 million on April 1 to a North Korean-linked hacker.