Hyperbridge Bug Minted 1B Fake DOT — Attacker Only Cashed Out ~$240K

What actually went down

Hyperbridge, the cross-chain bridge connecting Polkadot to Ethereum, got elbowed by a nasty bug that let an attacker mint roughly 1,000,000,000 counterfeit DOT tokens on Ethereum. Before the big mint, the same attacker also pulled about 245 ETH from a related contract — then sliced that haul into smaller amounts and funneled it through privacy mixers.

The technical root cause? A replay-style cryptographic blind spot in the bridge’s proof system. In short: the bridge verified security proofs but didn’t properly tie those proofs to the exact message they were supposed to authorize. The VerifyProof() routine checked that a proof hadn’t been used already, but it failed to confirm that the proof actually matched the payload. By fiddling with index parameters, the attacker slipped in old-but-valid proof material attached to newly forged requests, escalated to admin privileges and told the contract to conjure up one billion DOT.

Luckily for everyone except the bridge’s dignity, the attacker’s payday was small. The forged DOT ended up in a relatively shallow liquidity pool on Ethereum. When the attacker tried to dump the massive supply for ETH, the pool’s pricing algorithm tanked the token price to microscopic amounts almost instantly, so the attacker only managed to extract around $240,000. The bridge team paused the protocol, and outside engineers stepped in to contain the mess. Importantly, Polkadot’s core chain and its parachains remained untouched — the exploit was isolated to Hyperbridge’s Ethereum side.

Why this feels funny and terrifying at the same time

The whole episode has a wonderfully ironic edge: Hyperbridge had posted a jokey April Fools’ take about being hacked just a couple of weeks earlier. That prank aged poorly once the real exploit showed up.

Beyond the meme, this is a reminder of two brutal truths about cross-chain plumbing. First: bridges are lucrative honey pots. They lock up large reserves to mint wrapped versions of tokens, so any flaw in validator keys or smart contract checks can give attackers a big lever — whether to drain funds or mint endless supply. Second: market mechanics can sometimes save the day. In this case, shallow liquidity caps limited the attacker’s gains; in other cases, deeper pools would let a bad actor cash out far more.

Bridge hacks aren’t new. There have been several massive losses in the past (think hundreds of millions taken on other bridges), and this incident just reinforces that cross-chain code and proof handling need extremely strict checks. The fix here is straightforward in principle: properly bind proofs to messages, validate incoming parameters, and never assume a request hash check alone is enough.

At the end of the day, the incident is a messy cocktail of human hubris (prank tweets, anyone?), subtle cryptography bugs, and the reality that liquidity dynamics matter as much as code. If you like drama with a side of technical lesson: welcome to modern crypto.