Polkadot Hyperbridge exploited; 1B DOT minted on Ethereum

On-chain analysis shows an attacker exploited a proof-replay flaw in Hyperbridge’s HandlerV1 contract on Ethereum to mint 1 billion DOT and convert the tokens into roughly $237 million in ETH. The exploit relied on a forged message that granted the attacker admin privileges on the bridge contract.

The flaw allowed a previously accepted bridge proof to be reused with a new request. Replaying the proof enabled privileged actions, including changing admin permissions and authorizing minting based on supplied deposit data without an effective cap tied to deposits.

The attacker executed the sequence on Ethereum in a single set of transactions: minting the DOT on the bridge, transferring the full amount in one transaction, and selling the tokens for ETH. On-chain records show the exploiter then moved the proceeds through a Railgun wallet to obscure the funds’ origin.

Researchers and security firm Certik confirmed a forged authorization message was used to obtain admin rights on the Hyperbridge contract. The breach affected the bridge implementation on Ethereum and did not directly interact with other chains in the Polkadot network.

Hyperbridge is the multi-chain hub approved by the Polkadot DAO for DOT and vDOT swaps. Polkadot’s core protocol was not directly compromised. The Hyperbridge contracts have been paused and there are no reports of other assets being affected.

Market activity followed immediately: DOT’s price fell to about $1.19 after the large sale, a decline of roughly 2.9 percent driven in part by price slippage from the rapid liquidation. On-chain data shows the exploiter received about $237 million for the minted tokens.

Railgun’s mixer was used to move the ETH; initial attempts to blacklist involved addresses were not fast enough to prevent use of the service. The bridge had low activity shortly before the exploit, with virtually no DOT swaps recorded.

Polkadot maintains a capped total supply of 2.1 billion DOT. On-chain figures indicate the minted 1 billion tokens represented more than half of the circulating supply at the time of the incident.

This is the third major bridge-related breach affecting Polkadot’s ecosystem, after a 2025 XCM bridge exploit that resulted in approximately $35 million lost and the 2022 Nomad bridge hack that involved about $200 million. Developers and governance participants are expected to review Hyperbridge’s code and bridge validation procedures to prevent replayable proofs and forged authorization messages from being reused.

Investigations and on-chain tracing of the transactions are ongoing.