Liquidity Constraints Limit Damage in Hyperbridge Cross-Chain Exploit

A security vulnerability in the Hyperbridge cross-chain gateway allowed an attacker to mint 1 billion bridged Polkadot (DOT) tokens on the Ethereum network this past Sunday. Despite the massive volume of tokens created, the attacker was only able to extract approximately 108.2 ETH, valued at roughly $237,000. The exploit occurred within the Hyperbridge EthereumHost contract, which failed to properly validate incoming cross-chain messages. By submitting a forged message via the dispatchIncoming function, the attacker was able to execute a changeAdmin command, transferring administrative rights of the bridged token contract to their own address. With administrative control, the attacker minted 1 billion tokens in a single transaction. However, the attempt to liquidate these assets through Odos Router V3 into a Uniswap V4 DOT-ETH pool was severely hampered by a lack of market depth. The massive influx of tokens overwhelmed the available liquidity, causing the price to collapse and leaving the attacker with only a fraction of a cent per token. This incident follows a pattern of bridge vulnerabilities observed in 2026, including a $270 million drain on Solana's Drift Protocol. While Polkadot's native token and core network remained unaffected, the event underscores the systemic risks inherent in cross-chain architectures where single validation failures can grant unlimited minting capabilities. CertiK has confirmed the attack vector and the final profit amount. Hyperbridge has yet to issue a public statement regarding the exploit or whether other bridged assets using the same gateway remain at risk.