Polkadot-Ethereum Bridge Hack Losses Were 10x Worse Than Reported, Team Admits

An exploit that led to the minting of 1 billion wrapped Polkadot (DOT) tokens earlier this week is even worse than originally reported, according to the team behind Hyperbridge. 

What was originally thought to amount to $237,000 worth of token losses linked to the Polkadot-Ethereum bridge is actually closer to $2.5 million—a more than 10x increase from the initial report. 

“An attacker exploited a vulnerability in the Merkle Mountain Range (MMR) proof verification logic, allowing the culprit to mint assets and drain escrowed assets on Token Gateway,” the team posted in a Thursday postmortem. 

“Our initial public estimate of the realized loss was approximately $237,000, based on the immediately observable sell-off of bridged DOT on Ethereum,” they added. “That figure did not capture the full picture, we later learned.”

In addition to the $237,000 in observable losses, a smart contract was exploited for 245 ETH or around $561,000 hours before the malicious DOT token mintings. Plus, three connected blockchains—Base, Arbitrum, and BNB Chain—were also impacted, contradicting the team’s original report that only wrapped DOT on Ethereum was affected. 

“Following reconciliation of attacker activity across each of the four chains, the two-phase nature of the attack, and losses from the associated incentive pools, the revised total realized loss is approximately $2.5 million, denominated in ETH and DOT at the time of the exploit,” it wrote.

The stolen funds have been traced to a deposit address on Binance, and the firm has engaged the centralized exchange’s compliance team and relevant law enforcement in an attempt to freeze and recover the stolen assets—but it doesn’t expect a resolution soon. 

“We are pursuing every available channel, but the realistic timeline for meaningful recovery in a case of this type is measured in months, and can extend up to a year,” it added. 

While its goal is to make all affected users whole, repaying funds that have been compromised, the protocol indicated that it is “committed to a structured BRIDGE token allocation to cover the residual loss,” should it be unable to do so. 

But BRIDGE, its native protocol token, maintains extremely low volumes, last trading $1,800 over 24 hours when it changed hands for around $0.006 on March 29, according to data from CoinGecko. At that price point, the token had a market cap of around $858,000, about one-third of the total losses from its exploit. 

Bridging functionality on the four affected blockchains remains paused, and will only resume after a patch is deployed and audited. 

“This does not change our conviction that cross-chain interoperability is only secure through cryptographic proofs,” the protocol team wrote. 

“What this exploit has made clear, expensively, is that verification logic needs more frequent audits and adversarial testing at every layer of the stack,” it added. “That is the standard Token Gateway will operate under going forward.”