A significant vulnerability in the Hyperbridge protocol has led to the loss of approximately $237,000 worth of bridged Polkadot (DOT) on the Ethereum blockchain. Recent reports indicate that a hacker took advantage of a flaw in the proof verification logic, gaining unauthorized access to the bridged DOT token contract and enabling the minting of 1 billion tokens valued at over $1.1 billion. This technical exploit highlights ongoing security challenges within decentralized finance (DeFi) protocols.
According to Hyperbridge, the flaw allowed the acceptance of invalid proofs, leading to the processing of a malicious message that granted control of the bridged DOT token contract to the attacker. With newfound administrative control, the perpetrator minted an overwhelming supply of 1 billion bridged DOT tokens, exceeding the actual token supply by a staggering margin. For context, the total native, non-bridged DOT supply stands at around 1.6 billion tokens.
The exploit was confined solely to the bridged DOT on the Ethereum blockchain, leaving native DOT on the Polkadot relay chain and other assets across Hyperbridge untouched and secure. As the hacker proceeded to sell the illegally minted tokens on decentralized exchanges, they managed to extract approximately $237,000, reflecting the limited liquidity available at the time. Market analysts noted that, had liquidity been higher, the attacker could have realized gains exceeding $1 billion, especially with the token’s trading price hovering around $1.17, marking a 4.6% decline in the last 24 hours.
The incident comes at a precarious time for the DOT token, which has fallen more than 68% over the past year and sits roughly 98% below its all-time high of $54.98 reached in November 2021. Currently, DOT’s price is teetering just above its all-time low of $1.15, recorded in February.
In response to the exploit, Hyperbridge has temporarily taken its application offline for maintenance to implement additional security measures and is actively collaborating with security partners to attempt to recover the stolen funds. This incident adds to the growing list of security breaches affecting bridge protocols, reminiscent of the Ronin Network’s $552 million exploit in 2022, which was linked to North Korea’s Lazarus hacking group. The ramifications of such hacks continue to raise concerns about the security frameworks surrounding DeFi protocols, particularly following recent attacks, including a $285 million exploit of Solana’s Drift Protocol on April 1, allegedly tied to similar networks of hackers.
