Hyperbridge Exploit Results in Limited Loss Despite Massive Token Mint

A security flaw in Hyperbridge's cross-chain infrastructure led to the unauthorized minting of 1 billion bridged Polkadot (DOT) tokens on the Ethereum network this past Sunday. The exploit targeted the bridge's EthereumHost contract, which failed to properly validate incoming cross-chain messages before passing them to the TokenGateway. By submitting a forged message via the dispatchIncoming function, the attacker successfully executed a changeAdmin command, transferring administrative rights of the bridged token contract to their own address. This control allowed the attacker to mint a massive supply of tokens in a single transaction. Despite the nominal value of the minted tokens exceeding $1 billion, the attacker was only able to extract roughly 108.2 ETH, valued at approximately $237,000. The discrepancy was caused by the limited depth of the Uniswap V4 DOT-ETH pool; the massive volume of tokens overwhelmed available liquidity, resulting in a fraction of a cent per token. Polkadot's native network and the core DOT token remained unaffected, as the vulnerability was isolated to the Hyperbridge gateway. The incident underscores the systemic risks associated with cross-chain bridges, which often maintain high-level permissions on destination chains, making them prime targets for exploitation. CertiK has confirmed the attack vector and the final profit extracted by the attacker. Hyperbridge has not yet issued a public statement regarding the vulnerability or whether other bridged assets using the same gateway are susceptible to similar forged-message attacks.