An attacker took advantage of a flaw in Polkadot-based Hyperbridge, minting an astonishing 1 billion bridged DOT tokens worth over $1.19 billion on Ethereum. The attacker ended up with only $237,000 after selling them. This incident, first reported by security firm CertiK on April 12, 2026, highlights the ongoing vulnerabilities in cross-chain bridges, even though they promise easy interoperability. While Polkadot's main network is secure, the event unsettled the markets, causing DOT to drop about 5%.

The Exploit Unraveled

Hyperbridge, a zkSNARK-powered system on Polkadot, helps transfer assets between chains like Polkadot and Ethereum. The attack targeted its EthereumHost contract, which mishandled the validation of cross-chain messages before sending them to the TokenGateway. The attacker submitted a fake message through the dispatchIncoming function, bypassing state proof checks because of an all-zeros commitment that misled the system into acceptance. This gave the hacker admin control over the bridged DOT token contract through a changeAdmin call. In one quick transaction, they minted 1 billion tokens and sent them through Odos Router V3 into a Uniswap V4 DOT-ETH pool. Multiple swaps yielded about 108.2 ETH, worth roughly $237,000 at the time, as low liquidity in the pool led to significant price slippage. On-chain investigators traced the funds quickly, but the damage was limited to Ethereum's bridged assets.

Why the Haul Was So Small

Interestingly, the shallow liquidity that affected large traders worked in DeFi's favour in this case. The bridged DOT pool couldn't handle the influx of 1 billion tokens without crashing the price, which limited the attacker's profits. If this had targeted a deeper pool or more valuable asset, losses could have reached hundreds of millions. After the exploit, DOT hovered around $1.20, down slightly from $1.22, showing market nervousness but posing no systemic threat to Polkadot's main network. This follows a troubling trend in 2026: bridges are often hacked, holding excessive admin controls over tokens on destination chains. Last month, Solana's Drift Protocol lost $270 million to an exploit, while social engineering attacks elsewhere revealed infrastructure weaknesses. Hyperbridge's lack of communication so far leaves users uncertain.

Broader Implications

Polkadot, trading between $1.17 and $1.24 USD as of April 13, experienced a 4-5% price fluctuation but remained firm, underlining the relay chain's strength. The ecosystem, including parachains like Hyperbridge Nexus, promotes zk-proofs for better scalability, yet validation issues remain. CertiK's warning highlighted the gateway flaw and called for audits of similar systems. For users, this serves as a reminder to closely examine bridges beyond the hype. Native DOT tokens are safe, but bridged versions require caution. Developers must focus on proof verification and time locks. As the crypto world looks towards multi-chain futures, incidents like this highlight the need for secure systems.